NZ developer preps for hardened Linux
Subscribe now for $100 (23 issues) and save more than 37% off the cover price!
Get the latest news from Computerworld delivered via email.
Sign up now
Security Enhanced Linux, a “hardened” version of the open source software that was helped into existence by a US spy agency, is on the verge of gaining broad acceptance, a local developer says.
Kerry Thompson, an Auckland security consultant, says the pending release of the Fedora Core 2 distribution will introduce SELinux to mainstream Linux users. Fedora is sponsored by Red Hat and built upon Red Hat 9, and has been adopted by many of the former Red Hat community. Red Hat Enterprise Linux 4, due early next year, will also include SELinux technology.
SELinux, produced by the National Security Agency, security companies and open source developers, extends the Linux kernel to include a mandatory access control (MAC) system, restricting access to system resources for users and programs. MAC makes it more difficult for a rogue user or program to take control of other processes, files or devices.
Thompson has done “a fair bit” of SELinux testing, development and documentation over recent years but hasn’t yet managed to install SELinux on a client’s computer.
“I haven’t heard of anyone in New Zealand doing deployment,” he says. “No one’s used it in anger.”
Fedora is likely to change that. Red Hat developers use Fedora as a testing ground for the company’s enterprise distribution, so bugs and implementation issues should get attention.
Fedora Core 2 is currently available in beta release; a final version is expected next month.
At the moment, SELinux probably isn’t ready for widespread production use, Thompson says.
“It’s still pretty much beta software. It’s still quite experimental and it uses features that could mess up your servers and things like that,” he says. “It’s also debatable that people really need it.”
Customers that do need very secure computers are likely to use hardened Unix systems, he says, but SELinux promises much more.
“You can load a policy in the kernel of a box and tighten it down far more than you could with a normal Unix box,” Thompson says.
Thompson’s unofficial SELinux FAQ can be found here. Last week he presented a demonstration to the Auckland Linux User Group, with 23 people attending.
“But as Fedora comes out and it gets more mainstream, we expect more people will be interested in this,” he says.