Security
A seatbelt for server software: SELinux blocks real-world exploits
A security framework originally published by the US National Security Agency has begun to rack up an impressive list of protections agains security holes.
Linux security experts are reporting a growing list of real-world security situations in which the US National Security Agency's SELinux security framework contains the damage resulting from a flaw in other software. These so-called "mitigations" are showing that a Linux feature that began as an esoteric security measure is starting to prove its worth.
Related links
What’s new in SELinux for Red Hat Enterprise Linux 5? by Dan Walsh
Red Hat Enterprise Linux 5 Guide from the National Security Agency
Story tools
Sponsored by:
E-Mail article
|
|
Print article
|
|
Contact author
|
|
AIM article
|
del.icio.us |
Reddit
|
Digg
|
Stumble
|
Slashdot It!
|
The US National Security Agency first published SELinux in 2000, and Linus Torvalds accepted it into the mainstream kernel in 2002, but for much of the time since then it has been largely of academic interest. Many Linux administrators first saw SELinux in the form of a long article or tutorial that started with a whole new glossary of security terminology. And if you put SELinux on a real system, and the error messages for a failed configuration were confusing.
But the announcements of several recent security holes tell a new story: SELinux, if turned on, can prevent an attacker from using an exploit to its full destructive potential. For example, one vulnerability in the Hewlett-Packard Linux Imaging and Printing Project's software would have allowed an attacker to run arbitrary commands as root. However, according to the company's security advisory on the bug, "On Red Hat Enterprise Linux (RHEL) 5, the SELinux targeted policy for hpssd which is enabled by default, blocks the ability to exploit this issue to run arbitrary code."
Dan Walsh, an SELinux developer at Red Hat, covered another, higher profile mitigation on his blog. Samba, the software that acts as a file server for Microsoft Windows systems, had a vulnerability that would have allowed an attacker to run commands as root. However, "while the exploit might be able to take advantage of a buffer overflow, when the attacker tries to execute the code, SELinux would stop it," he wrote.
SELinux gets tools, software integration
"SELinux took a bit of a black eye by hitting it big a bit earlier than it should have," said Chad Sellers, Lead Software Architect for Tresys Technology, LLC, in an email interview. He adds, "SELinux systems have become much easier to use while at the same time protecting more and more things. The tools are much improved now so that if there's a problem, it's usually fairly easy to fix."
Note: Register to have your user name appear; otherwise your comment will show up as "Anonymous."
*Anonymous comments will only appear once they are approved by the moderator.
• SCO CEO takes the witness stand
• Linux visionary convicted of murder
• Ubuntu releases Hardy Heron
• Computer experts protest Microsoft OOXML
• US software lock-ins harm local bidders
LugRadio Live USA San Francisco, April 12-13 2008.
Nerdapalooza Orlando, Florida, July 4-5 2008.
LinuxWorld Conference and Expo San Francisco, August 4-7, 2008.
Featured Whitepapers
| The Fanatical Support Promise: Our Commitment to You - Rackspace | Webcast: Enterprise Linux Support - Oracle |
RE: A seatbelt for server software: SELinux blocks real-world exploits By Sherryl on February 27, 2008, 11:01 am Reply | Read entire comment Interesting article. I am wondering if anyone is experiencing SELinux being adopted in industies other than government. Is is becoming more mainstream?
Having a credible resource... By Joe_Wulf on February 27, 2008, 9:31 pm Reply | Read entire comment ... that blocks real-world exploits is what we (and arguably the world) needs to hear more about. This is the stuff that is under-reported in the mainstream. What...
All comments (2)