Get the LinuxSecurity news you want faster with RSS
Powered By
SELinux
Want to know how to make Linux really secure? Security Enhanced Linux (SE Linux), a system of security policies developed by the NSA, let you secure Linux at every level from the kernel up. Find out how EnGarde Secure Linux and others build and maintain a truly secure server environment.
Tresys have released new versions of SLIDE (announcement) and SETools (announcement). The new SLIDE release (v1.2) includes a network configuration GUI, usability improvements and bugfixes, while the new version of SETools (v3.3.1) is a minor bugfix release.
I have recently tested out SLIDE a SELinux development plug-in for Eclipse. I found that the plug-in gives the user at lot of information about the policy which is being developed on. After using it I have been thinking about doing all myy SELinux development on SLIDE instead of vi. What tools do you use for your policy hacking?
Another example of SE Linux access controls on a non-Linux platform is the MAC framework in the TrustedBSD project. This implements SE Linux access controls on top of FreeBSD. From reading the documentation it seems that the amount of changes required to the SE Linux code base for implementation on TrustedBSD was significantly smaller than the changes required for Darwin.
I was surprised to see that other Unix based operating systems are porting SELinux for example, the OpenBSD project. Since SELinux is implementing in both kernel space and user space I would think there would be a lot of core changes to SELinux to make it work on other operating systems.
Tresys have released new versions of SLIDE (announcement) and SETools (announcement). The new SLIDE release (v1.2) includes a network configuration GUI, usability improvements and bugfixes, while the new version of SETools (v3.3.1) is a minor bugfix release.
SLIDE is a Eclipse plug-in for SELinux development. When I do my policy development I stick with my good old vi editor. Personal I find using a IDE for writing policy makes it go slower. Do you find the SLIDE plug-in better then using a terminal editor?
Source: Red Hat Magazine - Posted by Eckie Silapaswang
I know in the past few weeks I've been very "offense-oriented" - lots of discussions on the latest cracks, DefCon post-analysis, etc. Let's switch back to a good defense scheme with a great starter article on building SELinux policies. Be sure to read the comments at the end warning users on placing too much trust in audit2allow output - this is something many first timers take for granted that could lead to holes in your security layers. In this article's case, the best defense is...well, a great defense!
Source: Security Blog Brindle - Posted by Bill Keys
We all know that we should not turn off SELinux but how many of us really do keep it on? As I see SELinux grow, so too the number of people keeping their SELinux implementation in enforcing mode. This article states that many companies are developing new software to make using SELinux easier. How would these tools affect the SELinux policy security?
One thing that I have been a little lax about reporting is when SELinux has mitigated a vulnerability. This past week, two Samba vulnerabilities were fixed in an Red Hat Network Update. These fixes were available at the same time as public disclosure of the issues, There are no currently known public exploits of Samba available. This errata fixed two bugzillas #239774 and #239429. I would like to point out that even with these vulnerabilities being able to leverage a heap overflow to run arbitrary code on a recent RHEL is hard.
Source: SecurityBlog::Brindle - Posted by Bill Keys
During the last year quite a bit of effort has gone into improving SELinux’ networking support, thanks to the great SELinux community. While this support is still evolving it will be very beneficial for people to try it out and give feedback so the final result is useful to more users and meets the security needs of a wider audience. As the network support in SELinux continues to evolve (there are already other ideas being discussed for possible inclusion) I’ll try to keep this post updated so that people who find it will have the latest information available.
The developers of one of the most secure operating systems available will use one of the most open collaboration platforms to continue work. The development community for SELinux will can start to use a newly created wiki site for collaboration and discussion, announced James Morris on the SELinux mailing list last week.
Source: Search Open Source - Posted by Efren J. Belizario
Administrators often criticize Security Enhanced Linux (SELinux) policies for being too complex, and they have a point. Mandatory access control-based administration is tedious and easy to misconfigure. It can be tough to handle the extended security attributes across a range of users, processes and files or directories that encompass more than one server. Novell addresses this problem in its enterprise-class server offerings with the AppArmor suite of policy management applications, but nothing comparable exists yet for systems management in Red Hat enterprise servers (or CentOS derivatives).
The good thing about SELinux (Security-Enhanced Linux) is that it can really help you lock down a Linux system. The bad thing about SELinux is that it can be a real pain to put all those locks and chains in place in the first place.
