Linux Gets Security Boost from NSA

[InfoSec News <isn () c4i org>]

http://www.internetnews.com/dev-news/article.php/3317331

By Sean Michael Kerner 
February 24, 2004 

Most stories about government deployments of Linux involve a
distributor helping various federal and municipal agencies install the
open source operating system. But in this case, a federal agency is
helping Linux.

The U.S. National Security Agency (NSA), also known as the codemakers
and codebreakers cryptologic division within the Department of
Defense, has helped to harden Linux with newly-released Security
Enhanced Linux (SELinux) kernel modifications.

The latest release, which updates the base kernel to 2.6.3 and 2.4.24,
contains numerous significant improvements to security in the open
source operating system. The SELinux improvements mark a major
breakthrough for Linux. Because of the NSA's contributions to the
kernel, the new security features will now show up in mainstream
distributions of Linux.

"Conditional policies are significant and also networking hooks were
added, which makes SElinux all that much more powerful," Joshua
Brindle, hardened Gentoo Linux Project Leader and the NSA's SELinux
contributor, told internetnews.com.

"They also exported AVC (define) controls to userland to facilitate
strong X-based access control and privilege separation," he added.

SELinux was released by the NSA under the GNU GPL open source license.  
SELinux is essentially a Linux Kernel with a number of utilities that
provide enhanced security functionality. But the critical component of
SELinux is how it implements and handles mandatory access controls.

"SELinux is important because mandatory access controls are essential
to limiting access to daemons and users to only what they need. It
also solves the age-old almighty powerful superuser problem in Linux,"  
Gentoo's Brindle told internetnews.com.

"We stress however that it isn't an end-all solution, that it must be
combined with additional layers of protection."

Debian, Gentoo and Red Hat Fedora's latest test release of Fedora Core
2 all currently make some use of SELinux. Red Hat also plans to
incorporate SELinux into its next Red Hat Enterprise Linux release

This "marks an important milestone in what enterprises globally feel
is an important issue," Red Hat spokesperson Leigh Day said of the
SELinux update. "One of the first issues we hear from our customers
when talking with them about solution requirements is security," she
told internetnews.com. "Were pleased to be working with the NSA to
bring SELinux to our distribution. We will incorporate SELinux fully
in our next release of RHEL 4."

The Security-enhanced Linux kernel enforces mandatory access control
policies that confine user programs and system servers to the minimum
amount of privilege they require to do their jobs.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.