Get the LinuxSecurity news you want faster with RSS
Powered By
SELinux
Want to know how to make Linux really secure? Security Enhanced Linux (SE Linux), a system of security policies developed by the NSA, let you secure Linux at every level from the kernel up. Find out how EnGarde Secure Linux and others build and maintain a truly secure server environment.
Source: Network World - Posted by Eckie Silapaswang
Read the latest news on SMACK (Simplified Mandatory Access Control Kernel) and get some more insight into the current security debate concerning the beloved Linux kernel. Let us know your thoughts on SELinux's role (no pun intended) with the kernel as well as any thoughts in SMACK. How does it live up to its intent for "simplicity of administration"?
Continuing his outspoken nature, Torvalds reigns in on the issues between LSM and SELinux. The argument as to which method should be the foundation, is being hotly debated. "You security guys are insane..." Torvalds states. What's he judging? the value of SELinux as the framework (maybe it's good, maybe it's not) or something else?
Why are security experts the focus? It seems here, that Torvalds is focusing on the source, not the content or issue itself.
Smack is the Simplified Mandatory Access Control Kernel," Casey Schaufler said posting the third version of his patchest. He explained, "Smack implements mandatory access control (MAC) using labels attached to tasks and data containers, including files, SVIPC, and other tasks. Smack is a kernel based scheme that requires an absolute minimum of application support and a very small amount of configuration data."
It's always nice to have security at the kernel level - how does SMACK stack up to other security implementations? Have you been able to configure something similar with a good set of SELinux rules?
What I discovered is that part of SELinux’s current dilemma is more easily fixable than the other, because it has nothing to do with technological chops and everything to do with public perception. Jim Klein, the director of information services and technology at the California-based Saugus Union School District, put it best: “The biggest problem for SELinux is mindshare,” Klein told me.
Why do users think that SELinux is too hard to use? One reason, could be that it can prevents some of our favorite Linux programs from running, if we don't make changes to the default SELinux policy. I find the standard set of SELinux tools to be a great aid in getting SELinux working on in any Linux enviroment.
Stephen Smalley has announced the latest release of core SELinux userland code, with highlights including dynamic object class and permission discovery, per-command PAM configuration for the newrole utility, and several general updates and improvements.
This release update some of the SELinux core userspace programs. One interesting change is per-command PAM configuration for the userland command newrole. I am glad to see updates to the userspace utilizes being release on a regular bases. Do you think that the NSA is pushing SELinux in the right direction?
As SELinux continues to gain in popularity, more and more sites will take it upon themselves to give it another go around. Here is a great, quick intro from another standpoint, into SELinux and setting up the system.
Also nice, is the explanation of DAC versus MAC, and how they inter-relate.
If you haven't learned much about SELinux, here's a nice way to start.
Customizing your systems SELinux policy can be necessary when running an application your policy is unaware of. Particularly, web based applications might need customization of Apache policy in order to run properly.
SELinux development is a very useful skill to have. With this skill the next time you are thinking about disabling SELinux you will know what changes are needed to the policy to get any program working with SELinux. How many of use end up disabling SELinux because it's preventing our favorite program from running?
KaiGai Koehi has announced the first release of SE-PostgreSQL, with RPMS available for Fedora 7, and documentation in Japanese and English.
Security-Enhanced PostgreSQL (SE-PostgreSQL) is a security extension built into PostgreSQL. I am happy to see projects like this one. I wonder if other projects are going to pop up similar to this one?
Tresys have released new versions of SLIDE (announcement) and SETools (announcement). The new SLIDE release (v1.2) includes a network configuration GUI, usability improvements and bugfixes, while the new version of SETools (v3.3.1) is a minor bugfix release.
I have recently tested out SLIDE a SELinux development plug-in for Eclipse. I found that the plug-in gives the user at lot of information about the policy which is being developed on. After using it I have been thinking about doing all myy SELinux development on SLIDE instead of vi. What tools do you use for your policy hacking?
Another example of SE Linux access controls on a non-Linux platform is the MAC framework in the TrustedBSD project. This implements SE Linux access controls on top of FreeBSD. From reading the documentation it seems that the amount of changes required to the SE Linux code base for implementation on TrustedBSD was significantly smaller than the changes required for Darwin.
I was surprised to see that other Unix based operating systems are porting SELinux for example, the OpenBSD project. Since SELinux is implementing in both kernel space and user space I would think there would be a lot of core changes to SELinux to make it work on other operating systems.
