Security-Enhanced Linux Moving into Mainstream

Posted by tadelste on Dec 18, 2005 6:16 PM EDT
LXer; By Tom Adelstein
Mail this story
Print this story

Security Enhanced Linux has move into the mainstream of operating system architecture in recent years. For those who don't understand the technology, many articles exist.

SELinux provides mandatory access control to a wider audience. It helps eliminate O-day attacks.

The agenda for the 2006 SELinux Symposium has just been announced and some project leaders of Linux distributions may way want to attended.

Existing distributions such as Fedora are including SELinux in the default build, and ports are underway to bring SELinux functionality to BSD and Darwin. Management has already stressed the importance of SELinux in many organizations. So, security minded systems administrators will find SELinux an important area to gain proficiency.

Much publicity exists around NSA's open-source Security Enhanced Linux. People have discussed it in articles, at various conferences, in presentations and user group meetings. I made a few attempts in the early days to have it work on a server or two myself. After many frustrations, the closest I ever got to a working version was Mark Westerman's laptop at the Boston University Linux Desktop Conference in November 2003.

Security Enhanced Linux enforces a mandatory access control model of security. This differs from the discretionary model used in UNIX and Linux operating system. SE Linux policies confine user programs and system services to the least privilege they require to do their jobs.

SE Linux confines users, programs, and system services in the event the system becomes compromised. In the event someone exploits a system, he or she can only go so far before hitting a barrier. This reduces and/or eliminates the damage an intruder can create.

In theory, the idea of sectioning off users, services and programs makes perfect sense. In practice, making SE Linux work has been difficult.

Today, you can chose from Fedora, Red Hat RHEL 4, Debian and Gentoo. You can also compile your own kernel from the sources. Last time I looked, none of these distributions had any support --official or not -- for SE Linux except Fedora Core II and it had problems.

The NSA security model has existed for a few decades. Fortunately, NSA decided to implement that model in Linux. It makes Linux a candidate for the most secure DoD Trusted Computer Security Evaluation Criteria (TCSEC). And it's available in a free and open-source operating system.

If you want to see what the future of secure computing will be like, you can see it today. For the highly technical Linux administrators, I recommend Gentoo's implementation. For those wanting an easier install, go with Fedora.

You Need a Manual

Regardless of which distribution you choose, you'll still need an administrator's guide. Generally, I get mine off the Internet. I'll hunt and gather material and use a binder to put things together. I'll even index and create my own table of contents. I've spent way too much money on Linux books over the years and have been disappointed. So, to get me to buy a Linux book is tough.

One book I have acquired is Bill McCarty SELinux NSA's Open Source Security Enhanced Linux from O'Reilly. Other than this book, most of what you will need to gain knowledge of SELinux comes form the projects themselves:

Getting Started with SE Linux HOWTO: the new SE Linux a sourceforge project written by Faye Coker 18 March 2004.

Gentoo's SELinux Howto

NSA SELinux main website


SELinux community page

UnOfficial FAQ

Writing SE Linux policy HOWTO

» Read more about: Story Type: News Story; Groups: Community, Debian, Fedora, Gentoo, Kernel, PHP, Red Hat

« Return to the newswire homepage

Subject Topic Starter Replies Views Last Post
Long way to go yet R_U_TRUSTIFIED 0 1,668 Dec 19, 2005 4:25 AM

You cannot post until you login.