Linux & Open Source - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Linux & Open Source


REVIEW: Red Hat Fedora 12 Beta Makes Progress on System Privilege, Virtualization Fronts



 By: Jason Brooks
2009-10-23
Article Rating:starstarstarstarstar / 7


There are 0 user comments on this Linux & Open Source story.


Rate This Article:
Poor Best
Fedora, Red Hat's leading-edge Linux-based OS, has hit a beta milestone. eWEEK Labs' tests show that Fedora 12 will provide the latest and greatest versions of popular open-source applications, as well as features that strengthen not only Fedora but also Linux distributions in general. In particular, Fedora 12 advances the state of Linux system privilege management on multiple fronts and exhibits continued progress in virtualization.

Red Hat's leading-edge Linux-based operating system, Fedora, hit a beta milestone this week on the way to its Version 12 release. As with Ubuntu Linux, which recently underwent a beta release of its own, Fedora 12 will be packed with the latest and greatest versions of popular open-source applications, such as the OpenOffice.org productivity suite, the Firefox Web browser, and up-to-date releases of the GNOME and KDE desktop environments.

For a look the Fedora 12 beta in action, check out this eWEEK Labs slide gallery.

Beyond these typical Linux updates, the updates that have caught my eye in this version deal with strengthening the core of the distribution and of Linux distributions in general, as Red Hat's open-source innovations trickle downstream into other Linux-based operating systems. In particular, Fedora 12 advances the state of Linux system privilege management on multiple fronts and exhibits continued progress in virtualization.

System Privileges 

One of the first Fedora 12 enhancements to jump out at me was the distribution's new capability for sandboxing potentially untrusted graphical applications with SELinux. The new feature, called sandbox -X, provides graphical applications with a temporary environment to run in that's walled off from the rest of system. 

For instance, on my test machine, I created a wrapper script for Adobe Reader (a frequent target of malware purveyors) that would launch the application within an SELinux sandbox. I could view my document normally (more or less, I experienced frequent Reader crashes during my tests, with or without the sandboxing), but could not browse my file system or reach the network. If I wanted to extend Internet access to my sandbox--to test a Web browser, for instance--I simply appended "-t sandbox_web_t" to my command to allow for the access.

Resource Library:

For now, sandboxed applications launch in windows that cannot be resized, and not every application I attempted to sandbox worked properly. Firefox, for instance, launched without issue, but Google's open-source Chromium browser crashed immediately upon launch.

Moving forward, I'll be interested to see whether and how the Fedora project integrates sandbox-X with the rest of the distribution. If nothing else, the feature is a good example of what can be done with SELinux. For more information on sandbox -X, check out this blog post from Red Hat's Dan Walsh.

SELinux provides Linux with a scheme for mandatory access control, where the only rights that users or processes enjoy are those explicitly granted. In Red Hat and Fedora systems, SELinux usually operates under a targeted policy, where only specific parts of the system are controlled so tightly. The rest of these systems are bound by the traditional Linux DAC (discretionary access control) system.

In Fedora 12, this DAC scheme becomes more granular, with new work around limiting the privileges of processes that have previously run with all-powerful root privileges. The concept of capabilities enables applications that require certain root privileges to run with only those rights.

So, where SELinux works to limit the range of what applications are allowed to do, capabilities allow applications to request fewer rights in the first place. The capabilities work in Fedora 12 taps a library called libcap-ng that is meant to simplify the capability-dropping process for application developers. For more information on libcap-ng, check out this writeup from Red Hat's Steve Grubb.

A third privilege management enhancement coming in Fedora 12 comes in the form of a rewrite of the PolicyKit framework for granting system users particular elevated rights--such as the right to modify date and time information, create and modify user and group settings, or install software packages on a machine.

The current version of PolicyKit--which ships on Red Hat and Fedora distributions, as well as on Ubuntu, SUSE, and other distributions--doesn't lend itself to integration with networked resources such as directory servers, a major limitation in managed deployments.

The version of PolicyKit that ships with Fedora 12, while still implemented for storing its policies locally, has been reworked to allow for future directory integration--a major gain not only for Fedora but for Linux distributions in general. For more information on PolicyKit, see this reference manual for the project: http://hal.freedesktop.org/docs/polkit/.

Virtualization

No new Fedora release hits the streets without a handful of new virtualization enhancements, and Fedora 12 is no exception.

In this release, one of the most compelling virtualization features is the system's support for Kernel Shared Memory, or KSM, a recent addition to the Linux kernel that enables applications to identify and share duplicate memory pages. In conjunction with Fedora's KVM hypervisor, KSM promises to boost virtual machine density on a given host by enabling administrators to overcommit memory without requiring that VMs swap to disk.

I tested KSM out by creating a couple of Ubuntu 9.04 VMs with 1GB of RAM apiece and a Windows 7 VM with 2GB of RAM. Together, these VMs laid claim to the bulk of the 4GB of RAM available on my test Fedora 12 system.

When I switched KSM on, I watched the memory usage on my test machine fall, fairly quickly, from 3.1GB to 2.1GB as my system identified and merged duplicate memory pages. I want to see KSM in action on a more realistically outfitted system, but I'm impressed the capability as I've seen it so far.

Beyond KSM, I'm pleased to see that in Fedora 12, KVM will support hotplugging for virtual network adapters, and will present guest machines with an emulated hardware platform that remains consistent across upgrades of the hypervisor. Linux OSes tend not to care when hardware is changed underneath them, but this can cause problems with Windows. I've experienced broken Windows VM installs following KVM upgrades, and I welcome this improvement.

Executive Editor Jason Brooks can be reached at jbrooks@eweek.com.

 

 





  Reader Comments: REVIEW: Red Hat Fedora 12 Beta Makes Progress on System Privilege, Virtualization Fronts
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Linux & Open Source Articles          >>> More By Jason Brooks
 


xv㶲 ;^+(}LR/ْڱ-oKNYZ I)Rv2%Ο%*BIt3m BUP(#I"nZΘ\ܦd轿O$w}L9UQ#C3W)9bPg34mzΠN@\~}@^cfwD%x_'Щ=ѩ€wɄZIPQߗ>}^~l .hvL⎲Il/G5tuG%yHC֥̾E! ]2HXߦuɷ~{Xe;7 CKd/B(?F#c?9CvN=3τPcwҴ?@Sա*v25v+n /@^c\ȁYBni=7dc7l#205ARZ [XdTZ ӡk)u8r z08ryj5jfO-{n_w$z(֛z$=+~bA2xưaIHl6XB?P[yyN f uȭB¿{k׳߂Cݸ{1ܳL`E-"'l,R ?q7uBa%LjXE&sؗCYͼaF3l˸;4 HSKVUBX)ڑ^rӽm˙p*sgyÝ5훟+eUvѻ]HQPw;@ږVj0n{'Owq@α{A~$Vj}& D%\.I&0h5&tt:~Xs|\㍒~7ny%R+ i٥zd$Y3)2,ԐY;~K~2/NM퓳Nl,OaR422V,]鮘FȏwAժutqӹluoz{MZOvY;i O׵V\vO^/SQ&:aZ+U#3?_$>wNHN‰,-YtǷP[,/s$BrZT|Y|ěy30si2)>ML9X@/@ש#W4j5t-Mn #dLi&ͭzh-Aho*KLru&@Sk~$M ]5ņ])!exFSۤ%/^(P%!P샖_.[ jF|*(If(;΀/3A.r)i  6=aL+^뻹(4l.k\֛esJVt];3Eя0-*<7Nv.~hzmxX18,]evb`\Է7JfzTb(7ZdL,5,ϘR7HA^g_σutSOgG|JMk>uI< EC#ɠ:ڴ{\gV4!>F&MЀ wG|hx:,,Abχ&a`M?FAтMz>tT;]|2Zw9ܻ-L&wz JCˋF0P6xBe^~}¢1O[>ȁ=Ś閭-L<ģܠ~QP|'sZ( 7^`y" EEKy3@ $h5az.? ŊH^KHX-Vpp(ݞH:w@-h3aGe-n^ $ d6g2+IMiG0V-&D7r"e.G 7Kቖ6ZlkVe y=0Гޙ~pI$ךs_n2MSR*ܼ? b>Ȝ 8C_gM Yh(d'pC!f4Sy%ew{RgaE8F2b5k%nQ/|KĝR48'')NasW|]Ө5@ӬXKuooE[1(ĿKúJjp -Hoh koռE_xue8HiK-#rB`}.E6Gh?40%Ϳl]pZ#>{+UVj'G,m+ZrirX,y|-lD0(2n( 鿛R&a+\ڨOaOwAsm0Ho[=<fM\?&BXt+@Zl&VUmTHbyq 0b={1rt\Xtf²읶ה])ϥ_(̧6y+U}>8`CLmRGM}Bu߲&])W=ٰ\R !I16D ȸau-`bygS]Wѹq@8l1D.,g @?QRo> \!EX+LTBYad[s6/|}uxN`'\sW["LJ}Nݡe-m*I-b]Pr)SLZ06AaeL䱯^t@FM@X G\d0!P\Q-W0.#_L_LU1(TOnʻhCz-X]>L,',@УCkz]W9,#߬'hh<^HjP6C+jrTT+ qvJwq)4 l2{Oe֛Jm@o(ۿ`3|x+ߙ#[aeƘ]H`7\ +RUw5 Ř)2)N<:arUTՑn vOGA.Ca&:`BTnЬ 0Դ'KiM twPJ v|~KZhE[dEκԲG**5P6>*0nG=W֌H+ c5}u:*ZWӪ`,B[$ zDÈ i{qņZ ZYMV~ q?pߎ3XAmš9k+sD ü z30Jјlwh\,Qm(}ϣ*񨫚VJe2&0ʃF5c; [LY2Z ƚ_AFp5ز@ngr DV;ISԳйtNsl }~rnAf D|8 F.K6,^ira;9Qo@Hms11 ZH$;AOH07$pkj fS))r*H+ů 3Fˁ; _.7qDzGRUe@5ịV3C e 4v=.EЋv}cLB.Mo 4yQFkoZ,+eeHS/ JU-A^Mo6=IT\SGQ>8{Ic#&a\kxkc(u( Eōj4 Jz7O C.[m2B0qR3ڛ5^@M|KZkq4wI#⩬yF0.Ɨ!sk'O̦:zf36{%]M;o^!Lc~u8I,+o*M&n@uz0Rlʪ+> 2*ijAROs{@:Lpz]Qd:)nQ==յћY GL)߭~*9WIfT.jZb[)Uʹ>"i!`X~QK(,~w9ـo |\V*Z솣d9#T`| @-a'd1s<6ɷonjC?8 +~7?l)ɡXXD>DQkF\{e"nxB* gF Dccb^f>VU%/(0h_pCm໶$\auv1g +f[I)37+uƶO}y9|LWi_wUwuYeD߫ٗ/5.ašJVCR:"hueK\4?pCmtj2e'A)pQ>rfWϊ۫fչ ]wi? `yBn߽p.:K'5?wD;m)^{%y0W<|n48Z&IyDcxH136Q B@I˸t[k,ruXKr! }&=CɢlGkhN~{+^+,k̚_f·?|CAJNx(G@RPOh[#Zyst;3Ğw}h !:Ua2"(BS.iDOg4>^79Sj67>#EG%'k;t{)-':}iF` e܃Ţ*WVr[k':H ׉ NAN>os_<#9en1~KP -Mu?So2MDYkNEm=O[?0 cda(!L$zdeQnKlx8eRL锐'g.Op|Nhk'I^VR6T$4%!44ALNbC]F+#g һj^nOpVHp._xvImK$dcgKe s KqkP I<+ `->gԢᬖ^}+ ɏh : 3eZ& 3Z{UZ"Ա0@t#O.\<;n{ WS eznOapϲl^ta|`|;p=FG5]{@Ƹ DucBA095z@ϝO(|9i ,F}d3tTo4hAhl3O7nC]`l_sTx:o~=Ϥ2]a*7o}VZtC.qD n&d/.)%E u OKt1ڮ/=اHkYXxlS֛12~O O=pԶف㇎&X r?4hg azc[ʹ39ad<J6˶wVpN Ov %FJ--cmێ!%hvpU8"Zy$N0 o[1΢(g IV_OLRGvi iw_ U7w-;5HW`tv~1[SǘLu|@ hEk @,A[7l*PLG{ :-1p]zIћ(&Y8nF`,OMZM#zLt|(P6Ni1a6hςҢ @іr dՄ Lp@- rF{6|p4uYDx=E@?;ۊ6-x>N+bۯb ['\;!mb%/,xZDzdId+F$e%!B-(ı ̿u2RHgɋ&#BrFpP,Nų''3( JJ- nF&4ȯ_FQ_m 8?sqfBieL"ZQJՊ>p5ra 7 s͛ 0yf}6#&K>ۀ?uj=NIe%M77o9_KC”h9G{i(\oQ-.X.\II`Hj*,U'?sICB)DbH,[ EHS2&FHqol[s>UѾ7(zR ^NzTڔ>6ҵu~Ho{sL&!Y52 w⁊myUxT%D*oxnf|ImY"ĴE8,TPsqʲƢ)*&#[`{XO/]fR. Kz2E ]DJDa ;!ةvJQ,t6gIEœN)Jg} Ll` b鎤J y9X `1T O_2$*y qh< U4e[>,ȟ~b x6"SgE-)@Do2`k܉8=n*/D3=ڑB,AJ1 tI]Vܘdpآ 1Z-~{t߹xVKre Z> "ZqI4E|s wQ[== qK>aR=72,$)2 ]@^5WH ;`ؾ:wwI*PPPP}ՊR+^Cuzi۽wžmp.h_3'uHAv8sқvg]y۷V1ܗzSoX; A!H}W.0W_?7v_do%%eq}"=-V޷sB^s<yb-ꍝ_ھGXqiQTsۄet5}!X1@ %p0eK,)WALNO#NI -GEVN2 W^1OF4v}k'cdACBc^j]Yak!08 '_ < m 꿼ooSjx| ޼@PDLFae"?w}Lg;2(PT>k~~i/m~ṙc'ȗyX 'gӈat0h-{8R[xz1C17w@ aLW秺L>rR^Fʼn߳yx](Z@lnK3g+hz$s/| =[fTnCnĽq4+u΍^O/ :â="L1G Ks=ME).a ?Dy um|Tz#om?&L&(,@^t bB? oI?I5?O:&dQ?7(p[COoq'H|?#E<DQ#=t]UhF? g~Eu 쀤Pb!Y@4#|n}IA"6,֢A\ۦ&7NsnJ(aږޮؕĠAIB4vĸW\n"I0HUWkn+ ,F&"Y"'"KIE/]^|~8. dRxnIAKfRPi/ \95͂E / tMc%5JU(5ub?=G/ttAk-c"]J1x~[O֘1h*B UٜA5]RU BI?=Zj>k`csܴܧ5̈ ZOkaf`J;7e6]4_q=!o7ݝAfnVu&C[wnWmD܀mQNáDXo)2n-&~iXx>H'*t=jhp#J)Ta "*e9 JI-Gy=0#u_ZՔV-`{dRVNh/j Y9f Փ>-,bGc0/Ƙ;0/bZNa=4Mw[S(qZ:<~Q-DR!&҃R K 70-^`wUqji\-c zv[ix61A6XC@ݥDm+i!GY, t:w>ҢSF;6vCWѵATJ{=yJ-h>#ԹqIYrBGیh%=QH 4&/xXfLW<00t+P̲jNT\֏pY=XCE3 L _\}ĭBVU%ruY:_D_t[6Kwh `6%g#d )<]Сr@JoIg?4، Pm̼܏@GBSx# &WGd.$qOs5D< roEVIz# ,@g,Eꊍ\DQgBcmy 윓M﷯{aȐ]Q_[s<:}GTag(4Ey8u}@Nxl0W)&V-=peɖàzEQp#ߛ> c[7ΥiEZ<& .ycI 8^yN4X+ݐ7,X2|%{xbRU+J)|U3ʰLXUKͲg2VqɅ&JZ! `xzNrdhz?;X~@|LBz،\ݹ<`grڽ&Mrznu^yKa[+|Sw'ݫϧu粟kZ|j%E'}ҽlIJ/6ρ33_3ʯz}I8QޅnF9rz}y hjg@Si}>@?dG(ku֗wZFQd3ˌr'?r{埡sfE\_,@ߋ ^}.2s_dy2z'(Q~gd_@EF9e^\f%eu݌wAt3OK7C\\e5u^=_>f'(U}Sn&&oon2/9IR< 9k^픊8kgK " SV9,.O3kP g  ~-2*B @^~ kJ+ťW*7YKxM}%k{[Z1nvd}חG{1*,xW&e^>&c˼$=)>w懤Ixմ] &JRW[O'ikr(%s<2g!gs=* t=}}:1\{ %Y#ܻ Gz‰nQ'L2~<'Ԏ2nOArr m>v#yc^xP[Йq喏ޢD)Fyk@[x7JnAm= `/烫6{̧dA]eGӠ[?nLBpDc H-L{HNeFqL}knLIL=C)}5d]MWlƌ{cv@7maHfT.jZQo\)Uʹ俓k$29〈7X0&T$`vXJ D`q9#Tx|Demҫ&9!C;b{hǜ[ɖ^c wp%EУc ov̺֯˘C͛YȋæȖጽNׯX a` `TBPcoq =u] YI 4cܹ?|ͧ-F.dЬ!%cv[F0ͭ.yM`&#҄wgY"DӼx4<;4Xr(9Pijl1@Щ>7rAr&ߢ!pO U-Aİ[c"fx`_x"B` jϗ5[nc塦$P#"96>63gH6O,#V}E1"0 ; R.LzI{[mV?Ap[$c2 Arhԃ`wƨg=F|kR0A| $ Oar('Vzgi@ ^,a+sh.KƍK`b?94#0Հħ%N@f:2_ m>Zo/TLHd v"ѱ:4.q+D.焽HaC4u;WeԦB&On oq X?(xcläd{1«U/=ׇ"2cX =yP%)^xjA߭ed#ə W B| ,*- )HQ۝aFm% 1o %:f*Hvx&eDaiЄΧ\p穎DU|JA1^<&;z"c*1ue|n@HUgf2{M{:o90kn>7Q$L{xr:Y W)6O~0qCĶ2pئ?MSw(\*],1Ał?vLwVp?"cQ*Ԯ^g͜ ŧSW<߶JP'jTVw@8l6ږ?Y c/p$`:Vڕ+zYL1e~}=3ӲG(q",@zP`y%K@$4{Wf q쎢U.nDl`a^o1n,ـ9@6ٵv)E=b농\ ѨpSTUD'3^k'gymD]E>*Ѝ5O|3'5ȱ ya1 g{y6W=?5zlvf~wx:YʐLW\DI qk.-(ua4,Lb9"[^QI(\vX3%|"@a)5|`n~ӧf<˜4W6QĶqytʵ-ˉ;{`YO|q*\ƕY_Sq|>o/],{ٗNχ<|;XYx(~']e(FRqO\||8(>wc3u㖗7O~pxْŠ6EKB^i B"Awl:񪞽P7v r9̳p7*Р~o,je{'14ɻmEgl3W'5X-lu; og"f/On6%s|NVKI+.^ͦG( w]&l*)vyml-C6C-{?-ۧ*