Security Enhanced Linux

Blane Warrene

Operating system security is (or at least should be) of critical importance to us all. However, the varying levels of security required differ for each systems administrator.

For those who seek enhanced, tightened security control over their Linux systems, SELinux may be the answer. Standing for Security-Enhanced Linux, it is a result of research projects from the NSA (National Security Agency) in the US and focuses on mandatory access controls which offers powerful controls over users and devices as well as applications and services.

SELinux is released as a set of kernel patches which wraps into an existing Linux installation. The NSA states they have tested it successfully only on Red Hat.

In thet same vein, the Red Hat community has just announced integration with SELinux into its latest test release of Fedora (core 2), the replacement for Red Hat’s Professional series of distributions which ended with version 9. Red Hat facilitates the Fedora project but does not officially support it. However, it is obvious the goal is to test out and find the best improvements that can then make there way into Red Hat’s official Enterprise Linux products.

The NSA defines the difference between SELinux security and standard Linux security:

“The Security-enhanced Linux kernel enforces mandatory access control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs. When confined in this way, the ability of these user programs and system daemons to cause harm when compromised (via buffer overflows or misconfigurations, for example) is reduced or eliminated. This confinement mechanism operates independently of the traditional Linux access control mechanisms. It has no concept of a “root” super-user, and does not share the well-known shortcomings of the traditional Linux security mechanisms (such as a dependence on setuid/setgid binaries).”

More Information on:
Security-Enhanced Linux

Red Hat Fedora and SELinux