Security Enhanced Linux

Reviewed by Major Keary

Security Enhanced Linux, generally known as SELinux,
is a product of the American National Security Agency (NSA)
and is open source. As one would expect, O'Reilly is the first
publisher to release a book on the subject, SELINUX: NSA's
Open Source Security Enhanced Linux.

The first part provides an excellent introduction to the
subject for general readers interested in understanding SELinux—what
it does and how it does it. The rest of the book deals with
installation, configuration, testing, and so on; it is an in-depth
technical discussion of many issues and requires more than a passing
familiarity with Linux.

Red Hat and SUSE have announced an intention to
support SELinux in their respective commercial
distributions and it is already a component of Fedora Core 2. Gentoo
Linux specifically supports SELinux, but a tarball has
to be downloaded, unpacked, and compiled. Packages are available for
distrosthat use RPM, but—at the time of the book's
writing—Red Hat Enterprise Server does not yet officially support SELinux.
Debian and GNU/Linux (and their variants) can also be SELinix-enabled.

SELinux has built into it "mechanisms that protect
against attacks exploiting software vulnerabilities, including 0-day
vulnerabilities. In particular, SELinux implements
role-based access control and sandboxing".

The Windows anti-virus industry has developed a rapid response to
the viruses that plague MS products, but as efficient
as the rapid response is, it still leaves a window of vulnerability
between release-into-the-wild and the distribution of a signature to
clients.

The response cycle is different when a software vendor discovers a
product vulnerability. It is not as simple as adding a new signature to
a .dat  file. A patch has to be developed, end users have
to be notified, the patch has to be distributed, and each end user has
to apply it. However, such patches don't always work, and they may
result in unexpected consequences (such as creating new
vulnerabilities). When an end-user receives a patch it has to be
authenticated, tested, and installed. All that takes time during which
the window is wide open. Some vendors save up the known vulnerabilities
and incorporate the patches in a big bang service pack.

Known vulnerabilities for which no patch is available (still in
development, testing, or not yet released) are called 0-day
vulnerabilities—'oh days' for short. Some vendors issue a vulnerability
warning before distributing, or even developing, a patch. That
effectively informs would-be attackers that an opportunity exists.

SELinux is designed to cope with all forms of attack,
including 0-day vulnerabilities. The book discusses in considerable
technical depth how SELinux works and how it is
implemented and configured. Following the discussions of what SELinux
is and how it works the book explains installation procedures for
various distros, administration, monitoring, and development of
security policies.

The intended audience for this title is someone who is "responsible for
the management of one or more sensitive hosts"; for those in that
category this is an essential resource. It should also satisfy the
needs of anyone wants to develop an in-depth understanding of SELinux.

Bill McCarty: SELINUX: NSA's Security
Enhanced Linux
ISBN 0-596-00716-7
Published by O'Reilly, 238 pp., RRP $74.95 incl. GST

For those interested there are online SELinix
demonstration systems. Try any of these sites for information:

http://selinux.dev.gentoo.org

http://www.coker.com.au/selinux/play.html

http://selinux.simplyacquatics.com