Security
A seatbelt for server software: SELinux blocks real-world exploits
A security framework originally published by the US National Security Agency has begun to rack up an impressive list of protections agains security holes.
Linux security experts are reporting a growing list of real-world security situations in which the US National Security Agency's SELinux security framework contains the damage resulting from a flaw in other software. These so-called "mitigations" are showing that a Linux feature that began as an esoteric security measure is starting to prove its worth.
Related links
What’s new in SELinux for Red Hat Enterprise Linux 5? by Dan Walsh
Red Hat Enterprise Linux 5 Guide from the National Security Agency
Story tools
Sponsored by:
E-Mail article
|
|
Print article
|
|
Contact author
|
|
AIM article
|
del.icio.us |
Reddit
|
Digg
|
Stumble
|
Slashdot It!
|
The US National Security Agency first published SELinux in 2000, and Linus Torvalds accepted it into the mainstream kernel in 2002, but for much of the time since then it has been largely of academic interest. Many Linux administrators first saw SELinux in the form of a long article or tutorial that started with a whole new glossary of security terminology. And if you put SELinux on a real system, and the error messages for a failed configuration were confusing.
But the announcements of several recent security holes tell a new story: SELinux, if turned on, can prevent an attacker from using an exploit to its full destructive potential. For example, one vulnerability in the Hewlett-Packard Linux Imaging and Printing Project's software would have allowed an attacker to run arbitrary commands as root. However, according to the company's security advisory on the bug, "On Red Hat Enterprise Linux (RHEL) 5, the SELinux targeted policy for hpssd which is enabled by default, blocks the ability to exploit this issue to run arbitrary code."
Dan Walsh, an SELinux developer at Red Hat, covered another, higher profile mitigation on his blog. Samba, the software that acts as a file server for Microsoft Windows systems, had a vulnerability that would have allowed an attacker to run commands as root. However, "while the exploit might be able to take advantage of a buffer overflow, when the attacker tries to execute the code, SELinux would stop it," he wrote.
SELinux gets tools, software integration
"SELinux took a bit of a black eye by hitting it big a bit earlier than it should have," said Chad Sellers, Lead Software Architect for Tresys Technology, LLC, in an email interview. He adds, "SELinux systems have become much easier to use while at the same time protecting more and more things. The tools are much improved now so that if there's a problem, it's usually fairly easy to fix."
• Dell puts Linux and Atom in Vostro PCs
• Mozilla names best Firefox 3 add-ons
• Torvalds: Fed up with the 'security circus'
• Dell Latitude ON - big win for Linux
• Open source advocates hail appeals court ruling
LinuxWorld Conference and Expo San Francisco, August 4-7, 2008.
Linux Plumbers Conference Portland, OR, Sept. 16-19, 2008.
FreedomHEC Santa Monica, November 8-9, 2008.