RealTime IT News

Linux Gets Security Boost from NSA

Most stories about government deployments of Linux involve a distributor helping various federal and municipal agencies install the open source operating system. But in this case, a federal agency is helping Linux.

The U.S. National Security Agency (NSA), also known as the codemakers and codebreakers cryptologic division within the Department of Defense, has helped to harden Linux with newly-released Security Enhanced Linux (SELinux) kernel modifications.

The latest release, which updates the base kernel to 2.6.3 and 2.4.24, contains numerous significant improvements to security in the open source operating system. The SELinux improvements mark a major breakthrough for Linux. Because of the NSA's contributions to the kernel, the new security features will now show up in mainstream distributions of Linux.

"Conditional policies are significant and also networking hooks were added, which makes SElinux all that much more powerful," Joshua Brindle, hardened Gentoo Linux Project Leader and a listed contributor to NSA's SELinux, told internetnews.com.

"They also exported AVC controls to userland to facilitate strong X-based access control and privilege separation," he added.

SELinux was released by the NSA under the GNU GPL open source license. SELinux is essentially a Linux Kernel with a number of utilities that provide enhanced security functionality. But the critical component of SELinux is how it implements and handles mandatory access controls.

"SELinux is important because mandatory access controls are essential to limiting access to daemons and users to only what they need. It also solves the age-old almighty powerful superuser problem in Linux," Gentoo's Brindle told internetnews.com.

"We stress however that it isn't an end-all solution, that it must be combined with additional layers of protection."

Debian, Gentoo and Red Hat Fedora's latest test release of Fedora Core 2 all currently make some use of SELinux. Red Hat also plans to incorporate SELinux into its next Red Hat Enterprise Linux release

This "marks an important milestone in what enterprises globally feel is an important issue," Red Hat spokesperson Leigh Day said of the SELinux update. "One of the first issues we hear from our customers when talking with them about solution requirements is security," she told internetnews.com. "Were pleased to be working with the NSA to bring SELinux to our distribution. We will incorporate SELinux fully in our next release of RHEL 4."

The Security-enhanced Linux kernel enforces mandatory access control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs.