Slashdot Mirror

← Back to Stories (view on slashdot.org)

SELinux Moving Into The Mainstream

Posted by CowboyNeal on from the into-its-own dept.

PaxTech writes "Security Enhanced Linux is moving into the mainstream rapidly, bringing its implementation of mandatory access control to a wider audience. The agenda for the 2006 SELinux Symposium has just been announced, distributions such as Fedora are including SELinux in the default build, and ports are underway to bring SELinux functionality to BSD and Darwin. Security minded systems administrators should be learning about this technology as it provides another strong layer of security for Linux servers."

10 of 24 comments (clear)

  1. Next priority should be targeted policies for apps by NZheretic · · Score: 4, Interesting
    Browsers and internet accessing applications really need a series of targeted policies that can limit what third party extention, plugins and applet/scripting systems have access to.

    Almost all plugins should only need read access to its install directory/libraries, to a dedicated subdirectory for plugin for each application, and maybe ( at the users agreement ) common incoming and outgoing directory.

  2. You mean like how DARPA funded the internet? by NZheretic · · Score: 3, Informative
    A Brief History of the Internet.

    Also Larry Wall, author of Perl, was originally funded by the U.S. National Security Administration (NSA) as part of the "Blacker" project ; AND
    DARPA grants largely funded the development of UNIX 4.1 BSD (Berkeley Software Distribution) as well as the later development of the TCP/IP networking protocols.

  3. Re:grsec? by A+beautiful+mind · · Score: 2, Interesting

    Because they are different in spirit. SELinux is something that gives the necessary features for an organization like NSA where they require a level C or B or higher classified system.

    Grsecurity is more like for the common user wanting to make their system more secure.

    I'm aware that this is very vague like this, but it gives the general idea I hope. Personally I use Grsec for my home box, but an organization wanting to replace old mainframes needs to look into a bit different solutions, like SELinux.

    --
    It takes a man to suffer ignorance and smile
    Be yourself no matter what they say
  4. Re:And by mainstream, we mean by kopykat · · Score: 2, Insightful

    it just sounds to gruesome to me that anything that has to do with the .gov analysis is "bad!" considering that berkeley bsd, and really all unix before the introduction of the internet was government and university based as its primary source of development and contingency to the IT world at the time... SElinux is basically a strategic move to inspire and solidify the security of networking and internet services globally where the use of black art hacking has become a problem in every nation that has any form internet communication and the developers who developed it happen to have been open source experts in congruency with NAS developers... . !

  5. To quote Russell Coker by NZheretic · · Score: 5, Informative
    Russell Coker posted one of the most concise rationals to the SELinux Mailing List:
    GR Security includes PaX for protection against stack smashing and other similar attacks. But it also has an ACL system of it's own and limited chroot's (IE process in chroot can't touch the outside environment or other chroot's).

    SE Linux is an implementation of the domain-type security model. The domain a process is in determines that access it is given. Domains can change automatically on execution of certain processes (eg getty, login, and ping) or when executing a process a SE Linux aware program can specify the security context of the child process (within a certain range), login, sshd, and cron do this.

    The grsec ACL system and RSBAC don't support modifying applications to specify the security context, so they don't support giving different access to different non-root users.

    I think that Grsec has better support for some aspects of IP networking control, such as controlling which IP address a process can bind to (currently SE Linux only supports controlling bind access by port).

    RSBAC has lots of options for a huge number of things as they take the kitchen sink approach. You have to answer about 40 questions at kernel configuration time, and it's not clear which combinations of options are viable.

    Also visit the SELinux Frequently Asked Questions.
  6. Re:And by mainstream, we mean by legalize.ganja.now. · · Score: 2, Informative

    not that i'm a nsa-fanboy but:
    selinux is both free and open (see http://www.nsa.gov/selinux/info/license.cfm)...

  7. Interesting to see it being ported by Kelson · · Score: 2, Interesting

    ...to BSD and Darwin. I've been using Fedora Core since it was first released, and I've watched SELinux go from a slightly clunky annoyance in FC2 to just another part of the system in FC4 as they refined the targeted policy. I'm not sure how much of that was done by the NSA and how much by Red Hat, but it's made a huge difference -- more, even, than the slowly improving security GUI in Fedora Core (though SELinux desperately needs something to make it easier to administer).

    Back to BSD/Darwin, I do have to wonder -- how well would a successful Darwin port of SELinux interact with Mac OS X's security model? The page on the website talks about 10.3 and the latest snapshot is dated July.

    1. Re:Interesting to see it being ported by jbolden · · Score: 2, Insightful

      I do have to wonder -- how well would a successful Darwin port of SELinux interact with Mac OS X's security model?

      Quite a bit of it is in there. The problem is that Darwin has a different kernel level security model... there is a difference between single user mode and root in terms of permissions. So for example you can chflags the schg bit on but not off when running in Aquaish modes. There certainly are going to need to be better tools to handle this (sort of like the way XP does stuff during the next reboot).

    2. Re:Interesting to see it being ported by jkoshy · · Score: 2, Informative

      Mandatory Access Control has been available (but not turned on by default) in FreeBSD since its 5.0 release (Jan 2003). Documentation on using MAC is available in the FreeBSD Handbook. Manual pages are also available.

  8. Re:Q: best way to learn it? by PaxTech · · Score: 2, Informative
    My only experience with SELinix has been when an old reliable sysadmin procedure stopped working. I acknowledge that I need to know more. Should I pop for the (overpriced, IMO) O'Reilly book, or plow through the online stuffs?

    The O'Reilly book is very outdated, most of it talks about the SELinux implementation in FC2 IIRC, and a LOT has changed since then. You'd be better off with the online stuff until that book gets revised.

    <shameless plug>
    I wrote a series of four articles on SELinux you can find here: 1 2 3 4 and the company I work for has an SELinux strict policy server distro available here.
    </shameless plug>

    --
    All movements for social change begin as missions, evolve into businesses, and end up as rackets.