This is the beginning of an interesting article about SELinux and the drive to get it certified. I find SELinux to be a very interesting addition to Redhat and have been watching it since it came out.The Cyberspace Policy Institute at The George Washington University is launching an effort to get international security ratings for the U.S. National Security Agency-driven Security Enhanced Linux project, a move that organizers hope will make Linux more attractive to cautious technology purchasers, including government agencies.
Any thoughts on SELinux?
I have high hopes for SELinux but don't see it obtaining them. The kernel can only be used (wellm only supose to be used) by US citizens because of the crypto patch and what not applied to the kernel. While I think it is a good idea I think they should send the patches and systems to Linus so it can be merged into the stock kernel instead of trying to maintain their fork.
*sigh* Another misinformed person. It's not your fault though, probably more of NSA's fault for not being clear enough for what they are doing.I have high hopes for SELinux but don't see it obtaining them. The kernel can only be used (wellm only supose to be used) by US citizens because of the crypto patch and what not applied to the kernel. While I think it is a good idea I think they should send the patches and systems to Linus so it can be merged into the stock kernel instead of trying to maintain their fork.
First, SELinux is a way to program your own security into the kernel. Think of it as way of allowing for people to insert security plugins into the kernel. If you are familiar with access control lists (ACLs), this is somewhat like that, only better. Instead of saying that these users can perform these operations on these directories or files, you can program exactly what a user(s) can do with those files or directories. So basically you can do something like telling httpd exactly what directories it has access to, what files it can read from, what files it can write to, what functions in its code it can use, and how it's supposed to serve out its web pages, and that's it. If someone hacked httpd, they wouldn't have a shell account because httpd wasn't given that access. Even if they had a shell, they'd have a very limited number of access, read, and write permissions.
Linus wants to put in some sort of pluggable security mechanisms, but this isn't the only effort out there, it's just the most popular right now (even HP has something like it, but not too many people are optimistic about it.) The NSA has been sending people to the various Linux Kernel Summits, With that in mind, it might be safe to say that this is the type of security that Linus is considering.
To dispell a misconception or two, here is a quote from the following nsa website: *http://www.nsa.gov/selinux/faq.htmlI have high hopes for SELinux but don't see it obtaining them. The kernel can only be used (wellm only supose to be used) by US citizens because of the crypto patch and what not applied to the kernel. While I think it is a good idea I think they should send the patches and systems to Linus so it can be merged into the stock kernel instead of trying to maintain their fork.
So, as you can plainly see, the NSA is playing nice with the international Linux community. *The NSA isn't really forking the kernel anymore than Alan Cox or any of the other kernel hackers who release patched versions of the kernel are. *They are providing a research tool for the general community to use and improve. *Heck, it would be nice to see it folded into the kernel at a later date. *19. *What are the licensing restriction on it?
* * * *All source code found on this site is released under
* * * *the same terms and conditions as the original sources. *
* * * *For example, the patches to the Linux kernel, patches to
* * * *many existing utilities, and new programs and libraries
* * * *available here are released under the terms and *
* * * *conditions of the GNU General Public License (GPL).
* * * *The patches to some existing utilities and libraries
* * * *available here are released under the terms and *
* * * *conditions of the BSD license.
20. *Are there any export controls on it?
* * * There are no additional export controls for Security-
enhanced Linux over any other version of Linux.
Also, I didn't see anything in the faq talking about crypto. *Where did you see crypto, Ashcrow?
I would like to dink around with an encrypted file system running in conjunction with either a bastille hardened system or an SELinux patched system. *See how it works and holds up to normal, everyday use. *Anyone have any experience with the encrypted file system?
Posting Permissions
Reply With Quote
Bookmarks