Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How the NSA Took Linux To the Next Level

Soulskill posted more than 6 years ago | from the not-by-beating-the-end-boss-of-the-previous-level dept.

Security 172

An anonymous reader brings us IBM Developerworks' recent analysis of how the NSA built SELinux to withstand attacks. The article shows us some of the relevant kernel architecture and compares SELinux to a few other approaches. We've discussed SELinux in the past. Quoting: "If you have a program that responds to socket requests but doesn't need to access the file system, then that program should be able to listen on a given socket but not have access to the file system. That way, if the program is exploited in some way, its access is explicitly minimized. This type of control is called mandatory access control (MAC). Another approach to controlling access is role-based access control (RBAC). In RBAC, permissions are provided based on roles that are granted by the security system. The concept of a role differs from that of a traditional group in that a group represents one or more users. A role can represent multiple users, but it also represents the permissions that a set of users can perform. SELinux adds both MAC and RBAC to the GNU/Linux operating system."

cancel ×

172 comments

Sorry! There are no comments related to the filter you selected.

All very good, but... (4, Informative)

Shuntros (1059306) | more than 6 years ago | (#23369580)

SElinux alone is an utter pain in the ass to work with, hence many Linux admins simply switch it off.

Extensions such as AppArmour (formerly known as SubDomain), are what people should be embracing in order to make practical use of this excellent technology. Whilst using the same kernel hooks, AppArmour allows you to "snapshot" an application's activity and build a ruleset which can then be applied to the process. Much easier than titting around with SElinux policies forever and a day...

Re:All very good, but... (5, Informative)

FurtiveGlancer (1274746) | more than 6 years ago | (#23369740)

utter pain in the ass to work with....

Long ago, in the days when MLS was just the holy grail, Harris Corporation created the first A1 rated Multi-Level Secure computer system. I can't recall the name given to it, BlackHawk or something overblown like that. It was secure, but utterly unusable. According to some early testers I knew, it took more than 10 minutes just to log on. The command line took, on average, 5 minutes to respond to the simplest command. There were no policy templates, so all permissions and access lists had to be entered manually.

SELinux doesn't look quite so bad in that light, now does it?

Re:All very good, but... (2, Insightful)

Anonymous Coward | more than 6 years ago | (#23369790)

utter pain in the ass to work with....

Long ago, in the days when MLS was just the holy grail, Harris Corporation created the first A1 rated Multi-Level Secure computer system. I can't recall the name given to it, BlackHawk or something overblown like that. It was secure, but utterly unusable. According to some early testers I knew, it took more than 10 minutes just to log on. The command line took, on average, 5 minutes to respond to the simplest command. There were no policy templates, so all permissions and access lists had to be entered manually.


SELinux doesn't look quite so bad in that light, now does it?

Yeah, yeah, yeah and it took years to calculate by hand before computers and months to travel any distance before airplanes. So what's your point?

SELinux is a pain in the ass. Your comparison is meaningless.

Re:All very good, but... (0)

Anonymous Coward | more than 6 years ago | (#23369992)

Actually yes, it does. It just doesn't look as bad as some old piece of crap that you worked on, that's all.

Re:All very good, but... (3, Funny)

SlashWombat (1227578) | more than 6 years ago | (#23371306)

I guess when the project failed, all the programmers were snapped up by Micro$oft to work on their Vista project!

Re:All very good, but... (5, Informative)

Znork (31774) | more than 6 years ago | (#23369970)

SElinux alone is an utter pain in the ass to work with, hence many Linux admins simply switch it off.

I used to think so, but IMO, around FC7, F8 and RHEL 5 (ie, last year) the tipping point was reached. setroubleshoot and the tools around it are verbose to the point of telling you what to type so it's neither a problem noticing that there is an selinux denial nor any problem finding out what to do about it anymore.

Many integration problems (applications and libraries doing funky stuff they plain shouldn't be doing, something not unique to selinux) have also been fixed at the appropriate places, leading to far fewer failures.

Switching to MAC security has historically always been a serious pain in the ass (to the point where admins may have been better off implementing security by lack of mains power), but considering how painless it's gotten now I'd say whining about SElinux today says more about the admin than the software...

Re:All very good, but... (1)

HuguesT (84078) | more than 6 years ago | (#23370762)

Agreed, I have SELinux fully on with F8, I do notice a few messages from time to time, which I usually correct following the instruction given by SETroubleshoot, and all is well so far.

I'm not positive my system is any more secure than if it were off, but at least I don't get angry and dismissive about it.

Re:All very good, but... (4, Interesting)

zrq (794138) | more than 6 years ago | (#23369976)

.. hence many Linux admins simply switch it off.

Fine by me.
Means that when it becomes mainstream, anyone who is familiar with how to configure and use it will be in high demand.

Re:All very good, but... (4, Insightful)

gaspyy (514539) | more than 6 years ago | (#23370392)

Means that when it becomes mainstream, anyone who is familiar with how to configure and use it will be in high demand.

If no one's using it, how will it become mainstream?

Re:All very good, but... (0)

Anonymous Coward | more than 6 years ago | (#23371068)

Um, you make this statement based on what, something that fell out of your nose during a big sigh? Seriously, have you polled the community? Working within the Federal governement and with many contractors and vendors I can say based on my experience and observation that SE is a defacto standard in this space. This may seem obvious since it's the Fed and associated companies using it, but remember that just about anyone selling anything sells (at some point) to the Fed. I would say that the current trend is in fact toward SE use rather than ignoring it.

Re:All very good, but... (0)

Anonymous Coward | more than 6 years ago | (#23371078)

In exactly the same way as every year is supposed to be the year of "Linux on the Desktop", according to /.

Re:All very good, but... (4, Informative)

Z00L00K (682162) | more than 6 years ago | (#23370020)

The concept of SELinux is good, but it isn't very friendly for the system administrator and the developers.

A toolkit that allows for easy integration of new applications into SELinux and adaptations of already defined applikations would be useful. There are some around, but none are really good. The best would be if SELinux could allow for a "learning" mode for a single application in addition to the modes it has. Something like the Zonealarm firewall that is a bit noisy in the beginning, but as soon as it has learned what's permitted it goes silent. This will of course require a user-space application listening to the SELinux events. So a mode that allows SELinux to be permissive for a single application while strict for the rest of the system would be a nice thing.

One common problem that I have experienced is that databases like MySQL are defined in SELinux, but it's very common that the data storage is going to be relocated in a production environment. This is a cumbersome process that costs a lot of work and pain.

Another problem is the issue of semantics involved. It's not always clear and takes a lot of time to get familiar with.

And still - SELinux is a "static" security measure, which only controls the permitted access between application and resource. It doesn't consider any frequency or volume. For example - a mail program may do a limited number of connections to port 25 per second, which is a normal situation, but if a higher frequency occurs that means that there may be a problem that has to be checked. OK - It's not easy to be intelligent about things like this, but system behavior pattern is a critical point in security too.

So from a view of security SELinux is still only a step on the way, the threats of tomorrow has to be predicted and handled. This means that SELinux has to be a lot easier to work with for the average person to allow it to become a wide-spread security base.

Re:All very good, but... (5, Insightful)

lkcl (517947) | more than 6 years ago | (#23370086)

if you believe that selinux is "an utter pain in the ass" then you have misunderstood what selinux is for. selinux is specifically designed to be able to PROVE that an application is secure, using formal mathematical analysis (of the policy files).

[ the principle on which selinux works is that when you change "security context", it doesn't matter a damn if you were "god" before, you're now starting from scratch with zero permissions in the new context unless otherwise specified. this is best illustrated with an example of when you go into a military environment, they take your ID badge away from you and issue you with a temporary one that is only relevant inside that building. you can't even leave the building without that temporary badge, and it's been coded to only let you go to the toilet and into the rooms that are associated with your specific purpose for being in that building. and of course, if you forget to get your permanent ID back once you _do_ leave, you'll find it very difficult to get out the country! ]

one of the "rules" that GCHQ and the NSA follow is that it is perfectly acceptable for something to be "insecure" as long as you KNOW that it's insecure: you can then provide a workaround or a fix to ensure that the security vulnerability is never exploited.

the one thing that you absolutely absolutely must not ever have is a situation where you don't KNOW whether something is "secure" or "insecure".

so if AppArmour has wonderful automated rulesets that are impossible to analyse...

the thing about selinux is that policies require that you understand the source code and what the application is doing. for example, one of the guidelines is that applications should use exec rather than fork, because that provides total privilege separation, obviously, between tasks. fork() does not provide such a complete level of privilege separation, and so up until quite recently there was absolutely no way in selinux to even step into a separate security context on a fork() - it just... wasn't ... even ... remotely worth considering.

however, it turns out that there were some specific instances why stepping into a different security context on fork() is actually useful (such as in samba) and so it was added in. due to the circumstances under which this could be thoroughly abused, it was decided that it should be provided only via an explict selinux function call (usually, you can just provide an selinux policy statement without any code modifications).

Re:All very good, but... (2, Interesting)

jxxx (88447) | more than 6 years ago | (#23370442)

Maybe I'm missing something here, but fork() and exec() do different things. I don't see how one could be used as a general purpose replacement for the other. Do you mean fork followed by exec instead of system()?

Re:All very good, but... (2, Interesting)

Score Whore (32328) | more than 6 years ago | (#23370270)

Forget the pain in the ass nature of the kit. Consider the legality of it. The NSA cannot legally own copyright. Anything they produce is in the public domain. Therefore they cannot legally develop code that is under any license.

Re:All very good, but... (1)

Jah-Wren Ryel (80510) | more than 6 years ago | (#23370898)

Forget the pain in the ass nature of the kit. Consider the legality of it. The NSA cannot legally own copyright. Anything they produce is in the public domain. Therefore they cannot legally develop code that is under any license.
They can let contractors own it - happens all the time as a form of corporate socialism. They can also release to the public domain and let it be incorporated into the kernel - the GPL is compatible with the public domain. I really don't know what the NSA has done in this case, but licenses do not have to be an impediment here.

Re:All very good, but... (1)

Arethan (223197) | more than 6 years ago | (#23370296)

I would have to agree. Having configured both SELinux and AppArmor to their desired effect, AppArmor is definitely the easier and faster of the two to get configured correctly. I'm much more likely to go through the effort to get AppArmor correctly configured, than piss around with SELinux for hours.

SELinux may have more bells and whistles, but when you simply turn if off because it's a pain in the ass it doesn't really make your system any more secure.

Re:All very good, but... (4, Interesting)

John Whitley (6067) | more than 6 years ago | (#23371362)

This was also why a lot of folks prefer the competing grsecurity system [grsecurity.net] . First listed among its features (and this has been available in grsec for years):

An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your entire system with no configuration
grsec has a lot of other great features; see the link above for details. IMO, it's somewhat unfortunate that grsec has remained a separate patchset for the Linux kernel. Unusable security is useless security; I'm glad to see some catch-up on the SELinux front.

Anyone out there who's used both grsec and SELinux + AppArmour want to favor us with a comparison?

Re:All very good, but... (0)

pembo13 (770295) | more than 6 years ago | (#23371428)

I beg to differ.

Linux, not GNU/Linux!! (-1, Troll)

Anonymous Coward | more than 6 years ago | (#23369602)

A few years ago, while browsing around the library downtown, I had to take a piss. As I entered the john, a big beautiful all-American football hero type, about twenty five, came out of one of the booths. I stood at the urinal looking at him out of the corner of my eye as he washed his hands. He didn't once look at me. He was "straight" and married -- and in any case I was sure I wouldn't have a chance with him.

As soon as he left, I darted into the booth he'd vacated, hoping there might be a lingering smell of shit and even a seat still warm from his sturdy young ass. I found not only the smell but the shit itself. He'd forgotten to flush. And what a treasure he had left behind. Three or four beautiful specimens floated in the bowl. It apparently had been a fairly dry, constipated shit, for all were fat, stiff, and ruggedly textured. The real prize was a great feast of turd -- a nine inch gastrointestinal triumph as thick as a man's wrist. I knelt before the bowl, inhaling the rich brown fragrance and wondered if I should obey the impulse building up inside me. I'd always been a heavy rimmer and had lapped up more than one little clump of shit, but that had been just an inevitable part of eating ass and not an end in itself.

Of course I'd had jerkoff fantasies of devouring great loads of it (what rimmer hasn't?), but I had never done it. Now, here I was, confronted with the most beautiful five-pound turd I'd ever feasted my eyes on, a sausage fit to star in any fantasy and one I knew to have been hatched from the asshole of the world's handsomest young stud.

Why not? I plucked it from the bowl, holding it with both hands to keep it from breaking.

I lifted it to my nose. It smelled like rich, ripe limburger (horrid, but thrilling), yet had the consistency of cheddar. What is cheese anyway but milk turning to shit without the benefit of a digestive tract? I gave it a lick and found that it tasted better then it smelled. I've found since then that shit nearly almost does. I hesitated no longer. I shoved the fucking thing as far into my mouth as I could get it and sucked on it like a big brown cock, beating my meat like a madman. I wanted to completely engulf it and bit off a large chunk, flooding my mouth with the intense, bittersweet flavor. To my delight I found that while the water in the bowl had chilled the outside of the turd, it was still warm inside. As I chewed I discovered that it was filled with hard little bits of something I soon identified as peanuts. He hadn't chewed them carefully and they'd passed through his body virtually unchanged. I ate it greedily, sending lump after peanutty lump sliding scratchily down my throat. My only regret was the donor of this feast wasn't there to wash it down with his piss. I soon reached a terrific climax. I caught my cum in the cupped palm of my hand and drank it down. Believe me, there is no more delightful combination of flavors than the hot sweetness of cum with the rich bitterness of shit. Afterwards I was sorry that I hadn't made it last longer. But then I realized that I still had a lot of fun in store for me. There was still a clutch of virile turds left in the bowl. I tenderly fished them out, rolled them into my hankercheif, and stashed them in my briefcase.

In the week to come I found all kinds of ways to eat the shit without bolting it right down. Once eaten it's gone forever unless you want to filch it third hand out of your own asshole -- not an unreasonable recourse in moments of desperation or simple boredom.

I stored the turds in the refrigerator when I was not using them but within a week they were all gone.

The last one I held in my mouth without chewing, letting it slowly dissolve. I had liquid shit trickling down my throat for nearly four hours. I must have had six orgasms in the process. I often think of that lovely young guy dropping solid gold out of his sweet, pink asshole every day, never knowing what joy it could, and at least once did,bring to a grateful shiteater.

wrong (3, Informative)

larry bagina (561269) | more than 6 years ago | (#23369624)

SELinux adds both MAC and RBAC to the GNU/Linux operating system.

No it doesn't. SELinux adds both MAC and RBAC to the Linux kernel.

Re:wrong (0, Flamebait)

Anonymous Coward | more than 6 years ago | (#23369670)

I like to call it the GNU/KDE/Firefox/Apache/Perl/Linux operating system, you insensitive clod!

Re:wrong (0, Troll)

Anonymous Coward | more than 6 years ago | (#23369772)

Yes. And it's not "GNU/Linux" anyway - that term was just made up by Stallman. Everyone who matters has always just called the OS "Linux".

Re:wrong (2, Insightful)

harry666t (1062422) | more than 6 years ago | (#23369828)

> Everyone who matters has always just called the OS "Linux".

Of course including the Debian people, who made one of the greatest distros so far?

(NOT the greatest, but certainly one of the greatest)

Re:wrong (3, Interesting)

pablomme (1270790) | more than 6 years ago | (#23369862)

Everyone who matters has always just called the OS "Linux".
Right. Because none of the packages on this list [fsf.org] matters at all.

Re:wrong (1)

Anpheus (908711) | more than 6 years ago | (#23370504)

If I create an extremely vital set of components for Windows that eventually everyone feels like they couldn't live without, but can actually be shipped without Windows, should I require everyone to refer to Windows as AnpheusIsAwesome/Windows?

Re:wrong (1)

ciggieposeur (715798) | more than 6 years ago | (#23370772)

SELinux has a userspace component, so it adds to both the "Linux kernel" AND the "GNU/Linux operating system".

Re:wrong (1)

schon (31600) | more than 6 years ago | (#23371014)

Funny, I didn't know SELinux user-space utilites were part of the GNU project.

Someone might want to tell the folks who maintain savannah.gnu.org, because there's no mention of it anywhere on their site.

Released? Please, recapture it! (1, Informative)

Monty Worm (7264) | more than 6 years ago | (#23369666)

This is timely, if nothing else. I've spent the last working day wrestling with what turned out to be SELinux, while trying to write a postfix filter. The way these work is postfix gives emails as command line options and STDIO, and the software (usually) connects to SMTP on an alternative port to move the email on. Except with SELinux running (which is installed by default in some distros), it fails. Silently. Please, take it away!

Re:Released? Please, recapture it! (3, Insightful)

HeroreV (869368) | more than 6 years ago | (#23369956)

Why not just fix the silent failure? I don't understand this mentality of "There's a bug in the system! Scrap the whole thing!"

Re:Released? Please, recapture it! (1)

Znork (31774) | more than 6 years ago | (#23370732)

Make a note to make certain setroubleshoot or similar utility is always installed (on RH and derivatives it is, IIRC). That would have given you nice log output and instructions on how to resolve the problem.

Silently.

Yah, used to annoy the hell out of me. It's probably leaving a message in some audit log, but that isn't exactly friendly.

With the appropriate daemons and utilities installed you should get a nice syslog message (or even a blinkety desktop icon if it's on your local machine). Then it's basically just a matter of using audit2allow to convert the audit alerts to selinux policy and loading it.

Security vs Functionality tradeoff (0)

redelm (54142) | more than 6 years ago | (#23369668)

While I have some interest in seeing these crackdowns, I feel the main topic goes undiscussed: What functionality is being sacrificed for security? I don't see any mention SEL will run Firefox.


Microsloth is only very slowing coming around to the idea of user accounts and privilege isolation (badly implemented in MS-Windows-Vista) in spite of repeated warnings from the NIST and the longtime availability of NIST Registry patches. While MS might be suboptimizing for low early user-support calls, they are not entirely stupid and must have chosen low security defaults for some reasons.


Until these reasons for low security are thoroughly discussed and refuted, that model will persist. "Better safe than sorry" convinces only those already convinced. I say: Better neither than either.

Re:Security vs Functionality tradeoff (5, Informative)

garett_spencley (193892) | more than 6 years ago | (#23369748)

I don't see any mention SEL will run Firefox.

SEL doesn't "run" anything. It's basically access control lists implemented for the Linux kernel. So rather than using only the traditional unix-based filesystem permissions you can finely control what individual processes, groups and users can do in ways not possible with unix filesystem permissions alone.

It's explained not just in TFA but the summary:

"If you have a program that responds to socket requests but doesn't need to access the file system, then that program should be able to listen on a given socket but not have access to the file system. That way, if the program is exploited in some way, its access is explicitly minimized. This type of control is called mandatory access control (MAC). Another approach to controlling access is role-based access control (RBAC). In RBAC, permissions are provided based on roles that are granted by the security system. The concept of a role differs from that of a traditional group in that a group represents one or more users. A role can represent multiple users, but it also represents the permissions that a set of users can perform. SELinux adds both MAC and RBAC to the GNU/Linux operating system."

You can think of SEL as being an "add-on" to the Linux kernel. I realize that the name can be confusing since it kind of implies that it may be a completely different "Linux system" all together. It's really just an implementation of access control lists for Linux and various Linux distrubitions (such as Redhat) ship with it. It doesn't alter what the system can and can't run. It simply provides a tool for the administrator to further control and lock down the system in ways that are otherwise not possible with vanilla kernel.

Re:Security vs Functionality tradeoff (1)

redelm (54142) | more than 6 years ago | (#23370006)

Yes, I realize SEL is more a security module[s]. But is there one/several for Firefox preconfigured? Flexibility (aka "power") is good, but requires admin effort. Some of this can be saved with intelligent defaults. When you haul them out of the base code, you owe the user some guidence.

RSBAC anyone ? (1)

geekymachoman (1261484) | more than 6 years ago | (#23369672)

I think RSBAC (linux kernel patch) covers that, and much more. http://www.rsbac.org/ [rsbac.org]

Do you really want NSA developing your OS? (0, Insightful)

Anonymous Coward | more than 6 years ago | (#23369738)

Until we have a free government [metagovernment.org] , I cannot see how anyone can trust software that comes from the NSA.

Re:Do you really want NSA developing your OS? (5, Insightful)

diegocgteleline.es (653730) | more than 6 years ago | (#23369766)

Uh...you can read the code [kernel.org] . People has read the code and there's nothing "hidden" on it. People who thinks that SELinux allows the NSA to enter your computer are just clueless.

Re:Do you really want NSA developing your OS? (1)

harry666t (1062422) | more than 6 years ago | (#23369896)

They might be able to do that anyway. Who knows if they hadn't had secret deals with Intel, AMD, or whomever? You probably cannot review the source code of your CPU.

Re:Do you really want NSA developing your OS? (0)

Anonymous Coward | more than 6 years ago | (#23369990)

No but you could, at least in theory, stick an oscilloscope to the network cable and detect what is going out and coming in.

Re:Do you really want NSA developing your OS? (5, Funny)

diegocgteleline.es (653730) | more than 6 years ago | (#23370098)

But WHAT if the company who made the oscilloscope also had secret deals with the NSA???

Re:Do you really want NSA developing your OS? (0)

Anonymous Coward | more than 6 years ago | (#23370256)

Build your own. An oscilloscope is a remarkably simple device and you can literally make the components you need yourself.

People often have this idea that all technology is something advanced and magical that only a high tech company can master. In reality many gadgets are merely more advanced and refined versions of a very simple phenomena. With some effort you can make a perfectly functional camera using a cardboard box as an example.

One of the more extreme examples of this is probably a nuclear reactor. While you will probably need quite a bit if physics to deduce the proper dimensions, it is quite possible to produce a nuclear reactor by simply stacking graphite blocks and uranium in the right proportions. You need very pure uranium and graphite if you hope to do it without enrichment, but it is quite possible.

Re:Do you really want NSA developing your OS? (5, Funny)

Anonymous Coward | more than 6 years ago | (#23370682)

Build your own. An oscilloscope is a remarkably simple device and you can literally make the components you need yourself.

But what if YOU have a secret deal with the NSA?

Re:Do you really want NSA developing your OS? (1)

SGC Sculler (1221350) | more than 6 years ago | (#23371396)

But what if YOU have a secret deal with the NSA?
Then you need to work on overcoming your schizophrenia.

Re:Do you really want NSA developing your OS? (1)

harry666t (1062422) | more than 6 years ago | (#23370514)

You know that too much paranoia is bad? (: your thoughts make up your reality.

Re:Do you really want NSA developing your OS? (1)

Hal_Porter (817932) | more than 6 years ago | (#23370530)

Then your world has been virtualised out from under you, Matrix style.

Re:Do you really want NSA developing your OS? (0)

Anonymous Coward | more than 6 years ago | (#23370598)

use an oscilliscope made pre-NSA

Re:Do you really want NSA developing your OS? (1)

diegocgteleline.es (653730) | more than 6 years ago | (#23370058)

They might be able to do that anyway. Who knows if they hadn't had secret deals with Intel, AMD, or whomever? You probably cannot review the source code of your CPU.

Sorry, but I'm paranoid. What if you're a NSA agent? So I think you're lying me - my CPUs are safe.

Re:Do you really want NSA developing your OS? (1, Funny)

Anonymous Coward | more than 6 years ago | (#23370128)

So as long as the code doesn't execute the PWN instruction, we're safe.

Re:Do you really want NSA developing your OS? (2, Insightful)

Truekaiser (724672) | more than 6 years ago | (#23370088)

I'll bet money that 99% of the people who have access to the code would have no clue what it does. that only leaves those who are familiar with it and those that know the language it is written in but are not familiar with the specific code. the former would easily be silenced, the later can be dismissed as kooks and better yet other people will do it to them as well due to herd mentality.
frankly i think it's wise to not trust the nsa even if you can see the code, because frankly it's just plain misplaced faith that a simple philosophy like oss can universally protect you from such malicious intent, Especially considering the history and track record of such a agency.

Re:Do you really want NSA developing your OS? (2, Insightful)

Darkness404 (1287218) | more than 6 years ago | (#23370336)

So some people don't understand the code very well. Thats why the 1% of people look for malicious changes and fix them. How many open-source projects have malware in them compared to all the Windows Freeware/Shareware/Adware that has it in them? Its like saying just because a recipe isn't verified by a chemist it must be designed to either A) Poison you or B) affect your mind to buy less of a competitors product. Source code can be compared to a recipe, and how many people who cook really know the science behind why they add in everything to bake a cake? I'm sure very few but how many die from incorrect recipes that were changed? I'm sure very very very few ton none.

Re:Do you really want NSA developing your OS? (1)

cobaltnova (1188515) | more than 6 years ago | (#23370896)

Your metaphor (ok, simile, you grammar nazis) isn't the greatest. Almost all combinations of food are harmless to healthy persons. Cooking (i.e., undercooking or blackening) can, indeed, allow or create toxins. But, that's fairly well understood by almost all cooks. Very little chemistry is needed to determine if a food is toxic: most of the time you can tell by the taste.

Re:Do you really want NSA developing your OS? (4, Insightful)

Haeleth (414428) | more than 6 years ago | (#23371602)

I'll bet money that 99% of the people who have access to the code would have no clue what it does. that only leaves those who are familiar with it and those that know the language it is written in but are not familiar with the specific code. the former would easily be silenced
How, and by whom exactly?

You're forgetting that Linux development is distributed across the world. Maybe the NSA might conceivably be able to "silence" developers within the USA. But what hold exactly would the NSA have over developers in Europe and Asia? Even if you suppose that the USA's close allies such as Britain and Canada might be persuaded to join in some conspiracy, what would other countries have to gain? You would have to propose a global conspiracy, with governments the world over uniting to, um, stop themselves from finding out about the backdoors that America was using to spy on them? Sorry, but this is the most half-baked conspiracy theory I've ever heard.

frankly i think it's wise to not trust the nsa even if you can see the code, because frankly it's just plain misplaced faith that a simple philosophy like oss can universally protect you from such malicious intent, Especially considering the history and track record of such a agency.
Leaving aside the clear paranoia that is causing you to characterise the NSA as "malicious", they would have to be not only malicious but downright stupid to put backdoors into open-source code.

For example, the Chinese government uses Linux themselves. It would be foolhardy in the extreme for NSA to assume that they will not have their best security experts scouring the code for backdoors. If they found one, they could use it themselves -- or they could expose it, seriously embarrassing the United States. Not exactly the kind of thing that's likely to result in NSA funding being maintained at its present high level...

Re:Do you really want NSA developing your OS? (2, Informative)

Hal_Porter (817932) | more than 6 years ago | (#23370306)

Why do people say "you can read the code". Firstly, how many people who are actually skilled enough to read code critically have time to do that? And what's the chance out of the millions of lines of code in the kernel that they just happen to find the very few with bugs.

And how many of those are looking to fix old bugs as opposed to add new features? Bugs can exist in code that lots of people look at for 25 years.

http://it.slashdot.org/article.pl?sid=08/05/11/1339228 [slashdot.org]

Most subtle bugs can't be seen by reading code anyway, and you can't find them in a debugger because they are so hard to reproduce. Instead you need to form hypothesis about what the mechanism is, test them and then try possible fixes. And then get lots of people to test those.

Most interesting bugs only get understood/fixed when someone is affected by them. Having millions of people stare at the code to find one chance in a million is pointless. In fact it's worse than that since those people will be tempted to refactor working but ugly code intead of hunting for those hard to find bugs.

The concept is totally naive, IMO. Only people who've never found a very subtle bug would believe it.

Re:Do you really want NSA developing your OS? (1, Redundant)

spiffmastercow (1001386) | more than 6 years ago | (#23370544)

You can read a EULA too, but how often do people do that? Now lets think here... How many Linux sysadmins are proficient in C (i.e. have at least the knowledge contained in K&R)? Of those, how many have enough knowledge to understand kernel code? Of those, how many have the spare time to do so? And of those, how many will bother? And of those, how many will build the OS from source to ensure that the binaries aren't compromised? Just because something is open source doesn't necessarily mean it's safe. I'm not saying I think there is or is not a devious plot here.. But I am saying that you shouldn't assume that open source code cannot be malicious.

Re:Do you really want NSA developing your OS? (2, Funny)

AndGodSed (968378) | more than 6 years ago | (#23369810)

Here you go... and in your size too! Yep, a nice tinfoil hat, provided by the NSA no less!

Re:Do you really want NSA developing your OS? (1)

FurtiveGlancer (1274746) | more than 6 years ago | (#23369840)

If it keeps them off my phone line, then I'm all for it!

I hear voices, but they *usually* belong to people.

Re:Do you really want NSA developing your OS? (0)

Anonymous Coward | more than 6 years ago | (#23369874)

For the love of God...review the code you moron.

Re:Do you really want NSA developing your OS? (2, Insightful)

EQ (28372) | more than 6 years ago | (#23369880)

Put your nearly insane conspiracy theories to rest on this one, thats one of the reasons we have open source: to keep things like Microsoft's backdoors from being slipped in.

And aside from that, lets see, they have arguably several hundred to thousands of the best crypto and security people working for them so yeah lets completely ignore what they have to say in favor of some nebulous conspiracy.

Think about this: could such a conspiracy exist with that many people being informed of it? All it takes is one person to anonymusly leak stuff to the papers or internet. I mean really, the secret money tracing stuff they were doing got splashed on the front pages of the NYTimes, and the previous administration couldn't even keep a presidential blowjob a secret.

But the bottom line is: It is OPEN SOURCE (and even GPL'd!). Read the code. They cannot hide a backdoor from the kernel group when those programmers and all the patchers, testers, and users have all the source.

To Secret Government or not to Secret Government? (0)

Anonymous Coward | more than 6 years ago | (#23371034)

To restate the OP more elegantly:

Which would you rather have?

A. Countless lines of obscure (but technically open source) code developed by the masters of deception who have unlimited resources at their disposal and who have a track record of intrusion where they have no business

B. Open source governance [wikipedia.org] , where everyone can develop and read the law (and btw there is no NSA anymore because there is transparency in everything [wikipedia.org] )

Re:Do you really want NSA developing your OS? (4, Interesting)

lkcl (517947) | more than 6 years ago | (#23370558)

the "NSA" is not developing "your" OS. the NSA is (indirectly) verifying via (indirect) sponsorship and advocation that an (independent) university-developed scientific security model (FLASK) is (independently) implemented by a company and then (independently) maintained by (independent) people such as stephen smalley.

look at the web site. it say "POSIX not good enough for proper security. therefore we make it better so that civil services, and other environments where security matters, have someone to go to to ask 'is this secure to level XYZ?' and get a certification"

the bottom line is: be damn grateful for their involvement because it beefs up linux and allows it to be recommended for deployment in places where it would otherwise be hopelessly outclassed. remember: selinux allows linux to be "certified" as "secure", and mathematically provable as "secure". those certifications are absolutely vital for deployment in certain kinds of environments.

so be glad that linux is getting a leg-up, thanks to the NSA.

fake clouds/weather raise disaster level (-1, Troll)

Anonymous Coward | more than 6 years ago | (#23369786)

just keep focused on the smoke (& mirrors), & never mind the fire. it'll go out by itself after a while? there might not be much of anything left, butt that's not yOUR problem? alternatively, you can be more helpful than you might have imagined. there are still some choices. if they do not suit you, consider the likely results of continuing to follow the corepirate nazi hypenosys story LIEn, whereas anything of relevance is replaced almost instantly with pr ?firm? scriptdead mindphuking propaganda or 'celebrity' trivia 'foam'. meanwhile; don't forget to get a little more oxygen on yOUR brain, & look up in the sky from time to time, starting early in the day. there's lots going on up there.

http://news.yahoo.com/s/ap/20071229/ap_on_sc/ye_climate_records;_ylt=A0WTcVgednZHP2gB9wms0NUE
http://news.yahoo.com/s/afp/20080108/ts_alt_afp/ushealthfrancemortality;_ylt=A9G_RngbRIVHsYAAfCas0NUE
http://www.nytimes.com/2007/12/31/opinion/31mon1.html?em&ex=1199336400&en=c4b5414371631707&ei=5087%0A

is it time to get real yet? A LOT of energy is being squandered in attempts to keep US in the dark. in the end (give or take a few 1000 years), the creators will prevail (world without end, etc...), as it has always been. the process of gaining yOUR release from the current hostage situation may not be what you might think it is. butt of course, most of US don't know, or care what a precarious/fatal situation we're in. for example; the insidious attempts by the felonious corepirate nazi execrable to block the suns' light, interfering with a requirement (sunlight) for us to stay healthy/alive. it's likely not good for yOUR health/memories 'else they'd be bragging about it? we're intending for the whoreabully deceptive (they'll do ANYTHING for a bit more monIE/power) felons to give up/fail even further, in attempting to control the 'weather', as well as a # of other things/events.

http://video.google.com/videosearch?hl=en&q=video+cloud+spraying

dictator style micro management has never worked (for very long). it's an illness. tie that with life0cidal aggression & softwar gangster style bullying, & what do we have? a greed/fear/ego based recipe for disaster. meanwhile, you can help to stop the bleeding (loss of life & limb);

http://www.cnn.com/2007/POLITICS/12/28/vermont.banning.bush.ap/index.html

the bleeding must be stopped before any healing can begin. jailing a couple of corepirate nazi hired goons would send a clear message to the rest of the world from US. any truthful look at the 'scorecard' would reveal that we are a society in decline/deep doo-doo, despite all of the scriptdead pr ?firm? generated drum beating & flag waving propaganda that we are constantly bombarded with. is it time to get real yet? please consider carefully ALL of yOUR other 'options'. the creators will prevail. as it has always been.

corepirate nazi execrable costs outweigh benefits
(Score:-)mynuts won, the king is a fink)
by ourselves on everyday 24/7

as there are no benefits, just more&more death/debt & disruption. fortunately there's an 'army' of light bringers, coming yOUR way. the little ones/innocents must/will be protected. after the big flash, ALL of yOUR imaginary 'borders' may blur a bit? for each of the creators' innocents harmed in any way, there is a debt that must/will be repaid by you/us, as the perpetrators/minions of unprecedented evile, will not be available. 'vote' with (what's left in) yOUR wallet, & by your behaviors. help bring an end to unprecedented evile's manifestation through yOUR owned felonious corepirate nazi glowbull warmongering execrable. some of US should consider ourselves somewhat fortunate to be among those scheduled to survive after the big flash/implementation of the creators' wwwildly popular planet/population rescue initiative/mandate. it's right in the manual, 'world without end', etc.... as we all ?know?, change is inevitable, & denying/ignoring gravity, logic, morality, etc..., is only possible, on a temporary basis. concern about the course of events that will occur should the life0cidal execrable fail to be intervened upon is in order. 'do not be dismayed' (also from the manual). however, it's ok/recommended, to not attempt to live under/accept, fauxking nazi felon greed/fear/ego based pr ?firm? scriptdead mindphuking hypenosys.

consult with/trust in yOUR creators. providing more than enough of everything for everyone (without any distracting/spiritdead personal gain motives), whilst badtolling unprecedented evile, using an unlimited supply of newclear power, since/until forever. see you there?

"If my people, which are called by my name, shall humble themselves, and pray, and seek my face, and turn from their wicked ways; then will I hear from heaven, and will forgive their sin, and will heal their land."

meanwhile, the life0cidal philistines continue on their path of death, debt, & disruption for most of US. gov. bush denies health care for the little ones;

http://www.cnn.com/2007/POLITICS/10/03/bush.veto/index.html

whilst demanding/extorting billions to paint more targets on the bigger kids;

http://www.cnn.com/2007/POLITICS/12/12/bush.war.funding/index.html

& pretending that it isn't happening here;

http://www.timesonline.co.uk/tol/news/world/us_and_americas/article3086937.ece
all is not lost/forgotten/forgiven

(yOUR elected) president al gore (deciding not to wait for the much anticipated 'lonesome al answers yOUR questions' interview here on /.) continues to attempt to shed some light on yOUR foibles. talk about reverse polarity;

http://www.timesonline.co.uk/tol/news/environment/article3046116.ece

just follow the corepirate nazi hypenosys story LIEn. anything of relevance is replaced almost instantly with pr ?firm? scriptdead mindphuking propaganda or 'celebrity' trivia 'foam'.

http://news.yahoo.com/s/ap/20071229/ap_on_sc/ye_climate_records;_ylt=A0WTcVgednZHP2gB9wms0NUE

http://www.nytimes.com/2007/12/31/opinion/31mon1.html?em&ex=1199336400&en=c4b5414371631707&ei=5087%0A

is it time to get real yet? A LOT of energy is being squandered in attempts to keep US in the dark. in the end (give or take a few 1000 years), the creators will prevail (world without end, etc...), as it has always been. the process of gaining yOUR release from the current hostage situation may not be what you might think it is. butt of course, most of US don't know, or care what a precarious/fatal situation we're in.

for example; the insidious attempts by the felonious corepirate nazi execrable to block the suns' light, interfering with a requirement (sunlight) for us to stay healthy/alive. it's likely not good for yOUR health/memories 'else they'd be bragging about it?

we're intending for the whoreabully deceptive (they'll do ANYTHING for a bit more monIE/power) felons to give up/fail even further, in attempting to control the 'weather', as well as a # of other things/events.

http://video.google.com/videosearch?hl=en&q=video+cloud+spraying

dictator style micro management has never worked (for very long). it's an illness. tie that with life0cidal aggression & softwar gangster style bullying, & what do we have? a greed/fear/ego based recipe for disaster.

meanwhile, you can help to stop the bleeding (loss of life & limb);
http://www.cnn.com/2007/POLITICS/12/28/vermont.banning.bush.ap/index.html [cnn.com]

the bleeding must be stopped before any healing can begin. jailing a couple of corepirate nazi hired goons would send a clear message to the rest of the world from US. any truthful look at the 'scorecard' would reveal that we are a society in decline/deep doo-doo, despite all of the scriptdead pr ?firm? generated drum beating & flag waving propaganda that we are constantly bombarded with. is it time to get real yet? please consider carefully ALL of yOUR other 'options'.

the creators will prevail. as it has always been.

corepirate nazi execrable costs outweigh benefits
(Score:-)mynuts won, the king is a fink)
by ourselves on everyday 24/7

as there are no benefits, just more&more death/debt & disruption. fortunately there's an 'army' of light bringers, coming yOUR way.

the little ones/innocents must/will be protected. after the big flash, ALL of yOUR imaginary 'borders' may blur a bit? for each of the creators' innocents harmed in any way, there is a debt that must/will be repaid by you/us, as the perpetrators/minions of unprecedented evile, will not be available. 'vote' with (what's left in) yOUR wallet, & by your behaviors. help bring an end to unprecedented evile's manifestation through yOUR owned felonious corepirate nazi glowbull warmongering execrable. some of US should consider ourselves somewhat fortunate to be among those scheduled to survive after the big flash/implementation of the creators' wwwildly popular planet/population rescue initiative/mandate. it's right in the manual, 'world without end', etc....

as we all ?know?, change is inevitable, & denying/ignoring gravity, logic, morality, etc..., is only possible, on a temporary basis. concern about the course of events that will occur should the life0cidal execrable fail to be intervened upon is in order. 'do not be dismayed' (also from the manual). however, it's ok/recommended, to not attempt to live under/accept, fauxking nazi felon greed/fear/ego based pr ?firm? scriptdead mindphuking hypenosys.

consult with/trust in yOUR creators. providing more than enough of everything for everyone (without any distracting/spiritdead personal gain motives), whilst badtolling unprecedented evile, using an unlimited supply of newclear power, since/until forever. see you there?

"If my people, which are called by my name, shall humble themselves, and pray, and seek my face, and turn from their wicked ways; then will I hear from heaven, and will forgive their sin, and will heal their land."

meanwhile, the life0cidal philistines continue on their path of death, debt, & disruption for most of US;

gov. bush denies health care for the little ones

http://www.cnn.com/2007/POLITICS/10/03/bush.veto/index.html

whilst demanding/extorting billions to paint more targets on the bigger kids

http://www.cnn.com/2007/POLITICS/12/12/bush.war.funding/index.html

& pretending that it isn't happening here

http://www.timesonline.co.uk/tol/news/world/us_and_americas/article3086937.ece
all is not lost/forgotten/forgiven

(yOUR elected) president al gore (deciding not to wait for the much anticipated 'lonesome al answers yOUR questions' interview here on /.) continues to attempt to shed some light on yOUR foibles;

http://www.timesonline.co.uk/tol/news/environment/article3046116.ece

GNAA Sperm Races - Penis Rocket Project (-1, Troll)

Anonymous Coward | more than 6 years ago | (#23369794)

GNAA Sperm Races

To help fund our PR2TMP we are holding GNAA Sperm Races:

http://www.gnaa.us/penis-rocket-to-the-moon/spermraces2008/enter.html [www.gnaa.us]

Cum in a cup at our event and we will give it to our Lesbian Nigger who will toss all of the mixed semen into her vagina and we'll watch together on a big screen as the sperm race to her eggs!

Roles (1)

Threni (635302) | more than 6 years ago | (#23369832)

Hasn't NT had Roles for 15 years?

Re:Roles (4, Funny)

Concerned Onlooker (473481) | more than 6 years ago | (#23370378)

Yes, but they're usually just bit parts.

Re:Roles (1)

holophrastic (221104) | more than 6 years ago | (#23370456)

Yeah, and so have I. People like to find new information and call it "innovation", when really the impressive part is that the information was published, not that the technique was used. The technique's been used for ages.

Hey, my own crappy Perl code in which I've build a few dozen web-sites solves potential SQL exploits by running SQL queries using a MySQL user with limited permissions. There's no reason for 95% of database queries to have write access (INSERT) to anything. And some database tables don't need to be read (SELECT) by 99% of database queries.

So, simply put, when I'm looking up product information from the product catalogue, I use the MySQL user with general read access, which can't write anything at all, and can't read from things like the purchase table. And when the visitor makes a purchase, it happens through a MySQL user with INSERT access to the purchase table, but without UPDATE permission.

So instead of throwing random SQL strings at the database, I effectively run it through a user that can't do much of anything else -- and the else that it can do is perfectly legitimately done by the site visitor -- simply not necessarily from that particular web page.

And that's all above standard SQL injection dodging with escaping and such.

Re:Roles (1)

HuguesT (84078) | more than 6 years ago | (#23370800)

Yes, correct, but they are not being used by default, in particular in the common configuration where the default user is also the administrator :-(

Roles and Groups (0)

Anonymous Coward | more than 6 years ago | (#23369834)

"The concept of a role differs from that of a traditional group in that a group represents one or more users."

And so does a traditional group in /etc/group, it represents on or more users. So what are they trying to say with this sentence?

...to the Next Level of confusion (0)

Anonymous Coward | more than 6 years ago | (#23369900)

I would rather deal with the simple security that comes with Linux and already works well than to have to try to figure out a poorly implemented security system that emits an endless stream of crap into my log files and breaks something just about every time my distro updates it.

Simple and understandable makes for better security than complicated and unfathomable.

Roles vs Groups? (1)

iamhigh (1252742) | more than 6 years ago | (#23369902)

I guess I have never understood the fundamental difference; from TFS...

The concept of a role differs from that of a traditional group in that a group represents one or more users. A role can represent multiple users, but it also represents the permissions that a set of users can perform.
So a role is a group with permissions applied? WTF is the point of a group with no permissions applied?

Now I understand you can have different kinds of groups: email/distro, file access, memory access, execute, etc. But even if you use one group to give all of these, that doesn't really make it different that a group with permissions.

Is it all PHB/Marketing BS or am I missing something?

Learn how to use SELinux without disabling it... (4, Informative)

Ang31us (1132361) | more than 6 years ago | (#23369922)

Use SELinux commands like "restorecon" and "chcon" to fix SELinux context issues. Also, there is a GUI tool called "system-config-selinux" if you find that kind of stuff easier. If all else fails, use "setenforce" to put SELinux into WARN mode and look at the logs for clues about what is wrong.

Re:Learn how to use SELinux without disabling it.. (1)

Sir_Lewk (967686) | more than 6 years ago | (#23370820)

I may be wrong but I'm pretty sure 'system-config-selinux' is specific to Fedora (or at least Red Hat related distros). All the other system-config-* commands seem to be at least.

Interesting article, but confused definitions (4, Informative)

mattpalmer1086 (707360) | more than 6 years ago | (#23369936)

The definitions used by the article for discretionary, mandatory and role-based access control are a bit confused. They mix up the type of control with mechanisms commonly used to implement them. To be fair, there are no standard definitions of them - or at least, there's more than one "standard" definition. However, having just completed a dissertation in which I attempted to define those things, allow me to offer them here.

Discretionary - a user has discretion to decide who has access to what. A common form of discretionary control is access control lists (ACLs), but capabilities are also discretionary. A big problem with discretionary control is the amount of work the user has to do to grant and revoke permissions to everything. This often leads to systems configured with too much permission - the opposite of principle of least privilege.

Mandatory - the system mandates who has access to what by enforcing a policy (a user may set the policy, but can't grant access outside of that policy). Mandatory systems can require less work to administer day-to-day, as authorisation has been automated. But its often a lot of work to set good policies and are obviously less capable of dealing with things that fall outside of normal working practices. Common forms of mandatory control include label based systems like Bell-LaPadula or Biba (e.g. Top Secret: nuclear;projectX) and protection rings in CPUs.

Role-based (RBAC)- the permissions of a user are taken from their role or roles. Lots of people ask why this isn't the same as using groups and access control lists. You can implement bits of RBAC using groups and ACLs, but full RBAC is more abstract than this, and explicitly allows for greater control - like separation of duties. The current "standard" is the NIST RBAC definition http://csrc.nist.gov/groups/SNS/rbac/ [nist.gov] )

Note that RBAC can be mandatory or discretionary - it doesn't say how the permissions are allocated to the roles, just how the user gets those permissions through the roles.

Re:Interesting article, but confused definitions (1)

93 Escort Wagon (326346) | more than 6 years ago | (#23370166)

Role-based (RBAC)- the permissions of a user are taken from their role or roles. Lots of people ask why this isn't the same as using groups and access control lists. You can implement bits of RBAC using groups and ACLs, but full RBAC is more abstract than this, and explicitly allows for greater control - like separation of duties.
Couldn't you accomplish separation of duties with groups (by using different groups for different duties) and/or setting up permissions in a less sweeping way in sudoers (not just always using "fubar ALL=(ALL) ALL")? I freely admit I know just enough to be dangerous; but sometimes I wonder if the problem is really just the way user/group permissions have traditionally been used in Linux/Unix.

Re:Interesting article, but confused definitions (1)

mattpalmer1086 (707360) | more than 6 years ago | (#23370282)

You can arbitrarily approximate bits of RBAC using ACLs and groups, to different degrees in different systems. I'm not expert enough with using sudo to comment on your proposal, but as far as I'm aware, no ACL based system allows the user to pick which groups will be active during their session, nor does it allow the selection of groups to be controlled (e.g. if you pick group A, you can't have group B at the same time).

Re:Interesting article, missing Type Enforcement (0)

Anonymous Coward | more than 6 years ago | (#23370526)

SELinux's security is rooted in Type Enforcement, which is similar to a mandatory RBAC but not built around user roles, but rather the roles of processes. For example, a mail filter may run as root to be able to write user mailboxes, but the various processes involved in it will not be able to, for example, read user documents (they will only be able to read files that are directly involved with the needs of mail delivery).

The idea is that even if there is vulnerability with the mailer, at worse the attacker could read/delete user mail (and not, for example, install trojans into applications or reconfigure the network).

This is orthogonal to any user based controls (i.e.,the mail filter may start out running as root or some mail daemon, and then later su to the user, but it will remain in the "mail filter" domain).

TrustedBSD (0, Troll)

mi (197448) | more than 6 years ago | (#23370072)

Unless you are married to Linux already for some reason, you'll want TrustedBSD [trustedbsd.org] . Built on top of/as extension to FreeBSD [freebsd.org] , it had a substantial head-start...

Re:TrustedBSD (4, Informative)

diegocgteleline.es (653730) | more than 6 years ago | (#23370122)

Yeah, that must be why TrustedBSD is copying SELinux [trustedbsd.org] (just like opensolaris [opensolaris.org] )...

People claims SELinux is difficult, but they often don't understand how insanely powerful it is....

Re:TrustedBSD (4, Informative)

lkcl (517947) | more than 6 years ago | (#23370666)

"they often don't understand how insanely powerful it is...."

mwahahahah. yeah. nor how much money can be made from being able to program it and set up selinux policies that make normal people's brains bleed :) from scratch, selinux takes about 6 to 8 weeks to understand and program "policies". that means that anyone with the skill to program it is onto a goldmine, especially in the kinds of defense and civil contracts where selinux is "required".

i did a contract for a veeery unusual selinux deployment, involving file transfers from a high security environment to a low security one and vice-versa (secure-ftp). the requirement was that files in "incoming" should be creatable-and-writeable from one side, and from the other side they should be "readable-and-deletable" on the other.

the requirement was nothing to do with UNIX, it was implementing guidelines laid out in a policy document on security and was government-mandated for the type of environment (i wasn't told what that was but it was probably banking).

when my friend analysed the requirements, he did a simple map of POSIX permissions onto the requirements. POSIX merges "write" with "delete". automatically and immediately, pure POSIX permissions made it absolutely impossible to fulfil the requirements. he looked at extended ACLs: that didn't help, either.

on investigation of SElinux permissions, with extended separate permissions on directories as well as files, it was abundantly clear that SElinux fitted the requirements perfectly.

in SElinux, every single OS primitive has its own ACL permission, so there are about twenty five ACLs for files and a further separate and distinct twenty five or so ACLs for subdirectories. thirty or more for sockets. network addresses can be represented in ACLs. it's just ... absolutely insanely powerful, just as you say.

you could, if you were prepared to drive yourself up the wall, implement a per-user firewall for ssh. not using ssh configs but using selinux policy files! you could define the set of IP addresses which become relevant for a particular user context, which gets activated when the user logs in because PAM helps define the user's role, and then the combination of the user's role and the fact that the ssh "context" is entered, then network access is granted or denied because... ... i'm belabouring the point but you get the picture i'm sure. oh. and of course, you could even define that a particular ssh subsystem (sftp) be allowed from a particular range of IP addresses and ssh "shell" access only allowed from another range.

it is truly truly absolutely amazing.

Re:TrustedBSD (1)

nguy (1207026) | more than 6 years ago | (#23370788)

People claims SELinux is difficult, but they often don't understand how insanely powerful it is....

No, it isn't powerful. "Powerful" doesn't just mean being able to get a lot done, it means getting a lot done with little time or effort.

RSBAC (0)

Anonymous Coward | more than 6 years ago | (#23370108)

Why is rsbac never mentioned on slashdot? It is, in my opinion, a better technology. At the least, it is a different approach, and worth mentioning. I use it daily, find it easier to administer than selinux, it is more portable, and does not need LSM. Check it out at http://www.rsbac.org/ [rsbac.org]

Re:RSBAC (1)

metrix007 (200091) | more than 6 years ago | (#23370780)

That is an excellent point, this kind of competition is only good for the security scene as a whole.

I don't understand why it is not explorer further on slashdot, not just rsbac, but apparmor, grsecurity etc..,

But yes, RSBAC is an excellent and alternative approach, and should be checked out.

Check the NSA FAQ (0)

Anonymous Coward | more than 6 years ago | (#23370116)

http://www.nsa.gov/selinux/info/faq.cfm

Do you really trust NSA's Linux? (-1, Flamebait)

Adeptus_Luminati (634274) | more than 6 years ago | (#23370204)

I think trusting a piece of software put together by a government agency who makes a living spying on its own citizens, is kind of like taking a gun and shooting your foot.
I don't care how open source it may be, I wouldn't touch that Linux version with a 10 foot pole!

Re:Do you really trust NSA's Linux? (0, Flamebait)

Anonymous Coward | more than 6 years ago | (#23370240)

I bet you run windows.

Re:Do you really trust NSA's Linux? (2, Informative)

Darkness404 (1287218) | more than 6 years ago | (#23370258)

The code is open, anyone can review it. SELinux is open source, you can even edit the source code itself. Now had this been a proprietary product you would have no clue what is in the binary, but with Linux you can be assured that you can look it over. Compare that to Windows where you don't even know who is editing the source code. And really, how can you put in hidden code in the source code? You can't. Now granted, I hate SELinux for other reasons but it being developed by the NSA isn't one of them.

Re:Do you really trust NSA's Linux? (0, Flamebait)

Adeptus_Luminati (634274) | more than 6 years ago | (#23370316)

What's with people having so much faith in the security of open source software? Seriously, how many hundreds of thousands of lines makes up SELinux? Have you even reviewed 500 of those lines yourself? The vast size of it, makes it impossible for any one individual or even group of small individuals to KNOW for sure it is all perfectly safe. Now prove to me that some group expert coders that have actually reviewed every single god damn line of it and found nothing wrong with it, and maybe then I'll start trusting it.

Rough Analogy: It's all about logistics people. Just because there is a freedom of information act out there, doesn't mean every single government document has ever been reviewed, and it doesn't make the government trustworthy.

Re:Do you really trust NSA's Linux? (2, Insightful)

Darkness404 (1287218) | more than 6 years ago | (#23370376)

How many people have looked through all the lines in a recipe and understand all the chemical reactions? Seriously, whats with people having faith in how somehow someone wouldn't slip in something that would be poisonous that the maintainers of the recipe wouldn't notice? Compare recipe to SELinux and you get the general picture.

And why would Debian, Red Hat, Ubuntu, and Fedora have it if it were malicious? Despite the fact that the US government could have made Red Hat put it in for Red Hat and Fedora, that still leaves Debian which is community (and is quite good about making sure its systems are secure) and Ubuntu which is based in the UK and is community much like Debian.

Sure, healthy suspicion is good, but really, its just as stupid as saying because not everyone knows what the chemical reactions are when you are cooking it suddenly leaves you open to poison yourself with it.

Expect SElinux to be trojaned (0)

Anonymous Coward | more than 6 years ago | (#23370566)

You're just not living in the real world.

One should expect the NSA to have placed several non-obvious trojans in SElinux code, as well as in other areas of the kernel not directly tied to security. This is part of what they do, to acquire access pathways into systems worldwide for when they're needed, and undoubtedly it's the part of their Linux work for which they get funding most easily.

After all, it would be totally unreal and naive to think that the NSA greeted the rise of Linux with total submission. "Oh dear, it's been so easy to place our access hooks into Windows with the assistance of Microsoft until now, but Linux is open source so we're totally defeated, you can take away half our funding now." Be real, that's not how the world works.

The overall security of Linux dropped when the security modules framework was added to support SElinux and AppArmor, because this is complex code that is inherently involved with privilege manipulation. You can bet your bottom dollar that there is a compromiseable pathway in that code, hidden as a side effect of some seemingly innocuous operation.

Without this, the NSA would not be doing the job expected of them, which is to undermine the rest of the world for the benefit of the USA. The rise of Linux represented a disastrous loss of control for the NSA. They would not have let that happen unchecked.

Re:Do you really trust NSA's Linux? (0)

Anonymous Coward | more than 6 years ago | (#23370260)

you are an idiot

Re:Do you really trust NSA's Linux? (1)

growse (928427) | more than 6 years ago | (#23370346)

Well, if I shoot my foot with a gun, I get a hole in my foot. If I use SELinux, I end up with a pretty secure OS. These are different things.

Now, if you have information that may be able to give me a secure OS using a gun, or perhaps more interestingly a hole in my foot using SELinux, feel free to enlighten me :)

Oh, FWIW, paranoia is great up until the point it becomes easily confused with irrationality. Irrational paranoia is usually reserved for the domain of the mentally ill.

Example? (0)

Anonymous Coward | more than 6 years ago | (#23370262)

"If you have a program that responds to socket requests but doesn't need to access the file system, then that program should be able to listen on a given socket but not have access to the file system."

That sounds neat on a theoretical level, but how does it help me? Does my system have any programs which respond to socket requests but don't access the file system? Even my web server reads from my database, and writes to log files.

I suppose I could use it to lock down my echo service, but I don't recall seeing many security advisories about that.

Is there some real-world example that makes sense that you could explain to an idiot like me?

Re:Example? (1)

profplump (309017) | more than 6 years ago | (#23370484)

You web server only needs to listen on specific ports, and only needs to read from and write to specific paths. SELinux can enforce those limitations.

Wow (0)

Anonymous Coward | more than 6 years ago | (#23370426)

Wow, adding permissions to groups! What a concept! Welcome to the late 20th century Linux.

wishful thinking (0)

nguy (1207026) | more than 6 years ago | (#23370698)

There is not a shred of evidence that SELinux is any more secure than other approaches to Linux security. In fact, in practice, it may well be less secure since it is so complex and hard to deploy: either people disable it entirely, or they configure it wrong and have a false sense of security.

To me, SELinux represents a lot of what is wrong with security today: people think that they can achieve security by just tacking a bunch of complicated software on top of existing systems, and people think they can get away with ignoring usability and users.

Re:wishful thinking (1)

Sir_Lewk (967686) | more than 6 years ago | (#23370844)

If you are going to take competency of the admin into account when analyzing how secure a system can be, then you are pretty much already screwed.

Complexity (0)

Anonymous Coward | more than 6 years ago | (#23371386)

This is reality! How many Windows admins do you know that are thoroughly competent?

How many "Linux Admins" do you know that are aware of, and can competently command and control all aspects of one Linux system, let alone 5, 20, or 200?

"Security through complexity" didn't become cliche by accident..

Re:wishful thinking (1)

HuguesT (84078) | more than 6 years ago | (#23370854)

This is not quite correct. With SELinux, the vendor can define precise roles for all the system daemons for instance. This definitely improves security because even if a buffer overflow is discovered in one of them, if they are barred from interacting with the filesystem for instance, the security breach cannot be exploited so easily.

This should not forbid users to interact with the daemon in the way it was designed to work, in fact this should be totally transparent.

You have to be really lazy to disable SELinux (1)

pembo13 (770295) | more than 6 years ago | (#23371476)

And I am referring to server environments where you aren't constant adding removing programs. If you think SELinux is a pain in the ass to use for any software that comes packaged for the distro you're using, either there is a problem with the package itself, or there is some strange thing wrong. If we were talking about SELinux in FC2 I would agree, but at F8 , EL5 level, there is really not excuse. The devs even made a tool which tells you exactly how ti fix issues that cause alerts|blocks.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?