Security enhanced Linux, a set of kernel modifications and utilities initially developed by the National Security Agency, bolsters the security of Linux systems by enabling administrators to more finely tune data and process permissions. SELinux enforces mandatory access control policies, which limit user and application privileges to the minimum required to do the job. In contrast, most operating systems have DAC (discretionary access control) schemes in which a process has access to everything available to the user who launched it.
By limiting processes to the resources they require, administrators can limit the damage done by compromised or misbehaving applications—for example, a process with root privileges has free reign over a DAC system.
eWEEK Labs tested SELinux with the second test release of Red Hat Inc.s Fedora Core 2, updated with the latest packages available through the Fedora development package repository.
The Fedora line is Red Hats bleeding-edge Linux distribution, and it will be among the first distributions to ship with SELinux by default when its released later this month.
SELinux can be installed on any Linux distribution, but having a preinstalled, distribution-specific SELinux implementation makes testing and using the system much easier.
Red Hat officials said the company will include SELinux in Red Hat Enterprise Linux 4, which is expected to ship in the first quarter of next year, and work has been done to integrate SELinux with the Debian and Gentoo distributions of Linux as well.
SELinux works with the LSM (Linux Security Modules) framework, a feature that was added to the kernel with the 2.6 release. Linux 2.4 kernels may be patched to support LSM and SELinux.
SELinux uses a system of policies that describe roles for applications and users. There are policies covering each application and data object on an SELinux machine. This system of policies is complicated, and the need for checking rights against SELinuxs security manager imposes additional overhead, currently about 7 percent, as reported by testers. The SELinux code hasnt been speed-optimized, but some level of overhead is unavoidable.
Work remains to be done writing policies for applications other than those that ship with Fedora by default. SELinux contains a utility called audit2allow, against which administrators can run their applications to help automate the policy-writing process.
SELinux may be configured to run in active, permissive and disabled modes. In active mode, SELinux will deny access not provided by policy. In permissive mode, SELinux logs access violations but allows them; this mode is important for writing policies and seeing how SELinux behaves without disturbing usage.
In Fedora Core 2, these modes are configurable from a new tab in the firewall configuration tool, and users have the option of choosing the initial SELinux state during installation.
The Fedora team has chosen to ship Fedora Core 2 with SELinux disabled by default because it will take time to see how SELinux interacts with the full range of applications that users run on their Linux systems.
Because of the complexity of SELinuxs policies, the program at first will work best with servers that are exposed to the public Internet and that operate a small number of separate services. In these machines, SELinux supplies the tougher security from which Internet-facing machines can best benefit.
That these servers run a clearly prescribed set of applications will make it easier for administrators to manage the policies required to run them. On individual workstations located behind a firewall, the added administration and system resource overhead decreases the attractiveness of SELinux at this point.
Senior Analyst Jason Brooks can be reached at [email protected].
Be sure to add our eWEEK.com Linux news feed to your RSS newsreader or My Yahoo page: