14 DAY TRIAL // SELinux, is not a Linux distribution, as some of you might think. It is an implementation of mandatory access control using the Linux Security Modules in the Linux kernel. It was first developed by the US National Security Agency (NSA) and then it was released to the open source community mainly for development purpose.
Among the supporters and contributors to SELinux's development I could count important names such as Network Associates, Secure Computing Corporation, Trusted Computer Solutions, Red Hat and many others.
As I've said before the SELinux enforces some mandatory access control policies to the Linux kernel. This means that the ability that programs or daemons to cause harm when compromised (via buffer overflows or misconfigurations, for example) is very small, if not even impossible. Its mechanism operates independently of the traditional Linux access control mechanisms. The "root" or super-user concepts are not supported and do not share the shortcomings of the traditional Linux security mechanisms (such as a dependence on setuid/setgid binaries).
Some administrators, developers and security experts have criticized SELinux as being too complex to set up and administer. Others have voiced against its use of inode labeling rather than pathnames as the basis for its access control.
Jim Klein, the director of information services and technology at California-based Saugus Union School District, considers "..the biggest problem for SELinux" as being the mindshare According to him: "It developed a stigma early on due to the lack of tools for configuration and troubleshooting, which led people to simply turn it off."
But Red Hat's Dan Walsh, principal software engineer and also a regular contributor to the SELinux project said the SELinux "complexity problem" could be waning. The SELinux now comes turned on by default in Red Hat Enterprise Linux 5. SELinux was also included in RHEL 4, but only now it is said to be really safe. "RHEL 4 was like a demonstration of the technology. We had confined it to a certain amount of domains, or 15 targeted programs [within RHEL] that applications had access to." said Walsh. With RHEL 5 the number of targeted systems has been increased up to 200. "The goal with RHEL 5 is too leave SELinux on everywhere", commented Walsh.
Dan Walsh also said that SELinux has a new GUI in RHEL 5 to assist in management, as well as a set of configurable Booleans which allow IT managers to modify network ports, file labeling and event user mappings.