Red Hat Inc. took the first step this week toward the inclusion of Security Enhanced Linux in its enterprise offerings...
when it released Fedora Core 2, test2.
The latest beta of Fedora, an openly developed and constantly changing version of Linux sponsored by the Raleigh, N.C.-based distributor, includes SE Linux and is based on the 2.6 kernel. Enterprises are unlikely to deploy Fedora for mission-critical systems, but it does serve as a proving ground for Red Hat Enterprise Linux. RHEL 4.0 is on course for an early 2005 release and is likely to include SE Linux, said Fedora technical lead Cristian Gafton.
Red Hat hopes to hear feedback from the community on test2, in particular on the granularity of the default SE Linux security policy.
"We want to strike a balance. We don't want to make it too paranoid that it breaks things and people starting turning it off," Gafton said. "But we don't want to make it too relaxed either -- where people won't see the benefits and get a good perception of its benefits."
Gafton said Red Hat is working on a set of administration and configuration tools in advance of RHEL 4.0 in order to simplify the deployment and management of SE Linux.
"Setting up and maintaining SE Linux is more complex than a traditional discretionary access control model (DAC)," Gafton said. "We are working on system configuration and policy-editing tools to make this easier on administrators."
Standard Linux security is based on the discretionary access control model, where one superuser account has control over access permissions to resources on a network or file systems. The danger there, Gafton said, is that it creates a single point of failure. If a hacker cracks a root account, he would have the same privileges as the superuser.
With SE Linux, which is an implementation of mandatory access control (MAC) in the Linux kernel, root functionality is split into roles, Gafton said. Mandatory access control separates permissions for users, programs, processes, files and devices. Specific applications are granted only the permissions they need to function.
"You don't have that all-powerful root account anymore," Gafton said. "Deciding how granular those roles are is the essence of the SE Linux policy."
SE Linux, which was developed by the National Security Agency, makes sense for government agencies, plus companies in financial services and other industries, Gafton said.
"It's all a matter of how you implement the security policy," he said. "We are trying to get a system in place where we can look at all the actions needed for a security audit. Whether you have it finely tuned or [maintain] a relaxed policy is up to the user."
FEEDBACK: Is the inclusion of SE Linux a big deal to your enterprise?
Send your feedback to the SearchEnterpriseLinux.com news team.