SELinux and Security

 
 
By Jason Brooks  |  Posted 2006-04-17 Email Print this article Print
 
 
 
 
 
 
 


Since Version 2, Fedora Core has been leading the implementation charge among Linux distros for SELinux, a framework that came out of the National Security Agency for tightening Linuxs permissions scheme.

In SELinux, system permissions are described in policies. New for Fedora Core 5, the SELinux policies are based on a more modular reference policy. As a result, developers may now build application policies into their software packages, which makes Fedoras SELinux more manageable for administrators and more accessible for developers.

Also new is an MLS (multilevel security) policy for deploying a system with support for multiple levels of data classification, as youd expect to find in a trusted operating system such as Sun Microsystems Trusted Solaris.

For more information on Fedora Core 5s implementation of SELinux, the project has prepared an excellent FAQ page, including information about SELinux overhead (roughly 7 percent, according to the FAQ), building your own policies and troubleshooting SELinux errors on Fedora.

Its a Xen Thing

Fedora 5 ships with an updated version of the open-source Xen hypervisor project, which first appeared in Fedora in Version 4. We noticed right away that the Fedora team has smoothed out some of the under-the-hood wrinkles that had marred Fedoras previous Xen implementation. For instance, Xen requires particular modifications to a systems C library to avoid a specific performance hit; with earlier Fedora versions, this called for some hackery to get Xen working properly.

Also, the new version of Fedora ships with a basic script for creating new Fedora Core 5 Xen guest instances. The script creates a blank system image in a file and launches Anaconda to install Fedora on that image. After some fiddling about, we were able to create several such instances, administer them through SSH and serve a test Plone site from one of them.

However, if Red Hat developers intend to give VMware, Microsoft and other vendors in the server virtualization space a run for their money, they have quite a bit of work ahead of them: The Xen engine may be in place, but Red Hat must cluster a solid suite of management tools about this core if its to compete effectively.

Should Red Hat be exhibiting "Xen"-ophobia? Click here to read Jason Brooks column.

Fedora Core 5s default desktop environment is GNOME 2.14, although KDE 3.5.1 and XFCE 4.2.3 are also available. According to the GNOME project, this latest version of GNOME contains speed enhancements for GNOME applications, such as the systems log viewer. Sure enough, during tests the log viewer was noticeably snappier to launch and use.

Our favorite addition to the desktop is the Beagle search application, which brings to Fedora the same sort of desktop search functionality that the Google Desktop does for Microsofts Windows or Spotlight does for Apples OS X 10.4.

Another new GNOME feature we appreciated was the Deskbar, from which we could launch Beagle and Web searches, execute applications, look up contacts from our address book, and perform a handful of other useful operations.

However, two of the most promising additions to GNOME 2.14—the system lockdown application, Pessulus, and the user profile editor, Sabayon—arent included in the standard Fedora Core package set. Sabayon is available in Fedoras Extras repository, but wed like to see the project focus on embracing these components, as they make it easier to manage Fedora desktops.

Next Page: Evaluation shortlist.



 
 
 
 
As Editor in Chief of eWEEK Labs, Jason Brooks manages the Labs team and is responsible for eWEEK's print edition. Brooks joined eWEEK in 1999, and has covered wireless networking, office productivity suites, mobile devices, Windows, virtualization, and desktops and notebooks. JasonÔÇÖs coverage is currently focused on Linux and Unix operating systems, open-source software and licensing, cloud computing and Software as a Service. Follow Jason on Twitter at jasonbrooks, or reach him by email at jbrooks@eweek.com.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...

 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel