Get the LinuxSecurity news you want faster with RSS
Powered By
SELinux
Want to know how to make Linux really secure? Security Enhanced Linux (SE Linux), a system of security policies developed by the NSA, let you secure Linux at every level from the kernel up. Find out how EnGarde Secure Linux and others build and maintain a truly secure server environment.
The NSA have announced the release of updated version of the core SELinux code, available from their web site. This release includes support for permissive domains (allowing permissive mode on a per-domain basis), user and role mapping via sepol, and various minor fixes and enhancements.
Security-enhanced Linux (SELinux) was originally developed as a research prototype of the Linux® kernel and a number of utilities with enhanced security functionality designed to demonstrate the value of mandatory access controls to the Linux community and how such controls could be added to Linux. Today SELinux is integrated into the mainline Linux 2.6 kernel series and several Linux distributions. The Security-enhanced Linux kernel contains new architectural components originally developed to improve the security of the Flask operating system.
Have you used the latest Ubuntu version with SELinux enabled? If so what was your experience? This article is a step by step guide to learning how-to setup SELinux with Ubuntu. Test it out and let us know how it goes.
Source: Packt Publishing - Posted by Eckie Silapaswang
In this article by David Mercer, we will look at an entirely different aspect of running a Drupal website. Once we have added the functionality to the site, we now have to give some thoughts about how this functionality is to be accessed, or by whom. As the site grows, you will most likely feel the need to delegate certain responsibilities to various people. Alternatively, you might organize a team of people to work on specific aspects of the site. Whatever is required, at some stage you will have to make decisions about who can do what, and Drupal makes sure that it is possible to do precisely this.
This article on access control in Drupal has many similarities to implementing policies in SELinux. For those of you who are new to SELinux and are unsure of how "it works", this article may provide insight through a practical example of roles and permissions in a microcosm CMS world.
The SELinux Developer Summit will be a one day summit intended to provide a forum for focused technical discussion regarding current and future development plans for SELinux and related Flask/TE projects. The intended audience will consist of current SELinux developers, system/security administrators, distribution organizers/packagers, and power users. The format will be a mix of presentations and moderated discussion, including a panel where attendees will be invited to submit questions and feedback.
The SELinux Developer Summit is looking for people to take part in the action. Will you be one of them?
Tresys have announced the release of the latest version of Reference Policy. A notable highlight in this release is the addition of core infrastructure for X window (XACE/XSELinux). There’s also new support for wireshark, policy refinements for several already supported applications, and general enhancements including 64-bit capability support and updates for labeled networking.
One interesting part of this release is XSELinux. Do you think this will improve the usability and security of x-windows? I personal don't have any experience with (XACE/XSELinux) so if anyone does feel free on make a comment about it.
A place people sometimes trip with SELinux is the labeling of files. SELinux requires files to be labeled correctly in order to function. Discretionary Access Control has the same requirement in that file must have the correct permissions and ownership. If a file does not have the correct permissions it can not be read, written or executed. Similarly if a file is not labeled correctly SELinux will prevent read/write/execute as well as many other permissions and transitions.
Are you a Xen user? If so this article will show you steps to increase your images security by using SELinux.
If you're curious about how SELinux work with a database, and want to take your understanding to the next level, this is a great way to get started:
Security-Enhanced PostgreSQL (SE-PostgreSQL) is a security extension built in PostgreSQL. It works as a reference monitor within relational database management system, and provides fine-grained mandatory access control features collaborating with SELinux and its security policy.
These features enable to deploy a database management system into data flow control scheme, integrated with operating system. We call the most characteristic feature of SE-PostgreSQL as ''system-wide consistency in access controls''. Any other RDBMS cannot provide this feature in current.
The NSA have announced the latest release of the core userland SELinux code. According to the changelog, changes in this release include support for policy capabilities (i.e. allowing features to be selectively implemented in policy), several enhancements to libselinux, optimized matchpathcon, improved error handling and various bugfixes. The release may be downloaded here. Also noted in the release is a new page on the NSA site: Related Work, providing links to information on the underlying architecture and non-Linux implementations.
Source: http://www.ratliff.net/blog - Posted by Ryan Berens
We had mentioned last week that Solaris has introduced the FLASK security framework (part of the heart of SELinux) into its system. This week, a number of sites are chiming in, and this blogger has a couple of great links as well...
In a major validation of the FLASK architecture, the OpenSolaris community has created a new project called Flexible Mandatory Access Control (fmac) to adapt the FLASK architecture to OpenSolaris. (The FLASK architecture that is the basis for SELinux.) Stephen Smalley will be one of the community leads. OSNews picked up the email thread today with some interesting comments.
Source: www.linuxworld.com - Posted by Ryan Berens
SELinux still has a ways to go before it becomes the standard for secure servers. But as time passes, more and more administrators are realizing that this isn't some addition that needs to be switched off - it's an incredibly effective tool that when used correctly, can stop real-world exploits from causing real-world problems. In this article, Network World gives a soup-to-nuts overview on the current state of SELinux and how it is one of the most capable ways administrators can lock-down their system.
Linux security experts are reporting a growing list of real-world security situations in which the US National Security Agency's SELinux security framework contains the damage resulting from a flaw in other software. These so-called "mitigations" are showing that a Linux feature that began as an esoteric security measure is starting to prove its worth.
What are your thoughts?
