With RHEL 5, Red Hat goes to bat for SELinux: "IT managers who want to secure their Linux environments and keep things running smoothly have a very powerful tool at their disposal: Security Enhanced Linux, or SELinux, an implementation of mandatory access controls originally developed by the National Security Agency. Currently, it is integrated into most mainstream Linux distributions.

'[SELinux] stops theft, it stops spam relays, it stops worms from attacking your site,' said Dan Walsh, principal software engineer at Red Hat Inc. and a regular contributor to the SELinux project. As such, IT managers should leave it on at all times in every facet of their data centers.

The problem is, these days many users simply turn SELinux off (it's built into Red Hat Enterprise Linux).

While the open source security technology is widely accepted as incredibly secure, it is also seen as wildly complex. A slew of new tools and policy management features in RHEL 5 could help change that perception, but is it too late?

SELinux: Reality versus mindshare

'The biggest problem for SELinux is mindshare,' said Jim Klein, the director of information services and technology at California-based Saugus Union School District. 'It developed a stigma early on due to the lack of tools for configuration and troubleshooting, which led people to simply turn it off.'

Sadly -- for SELinux advocates anyway -- Klein said the problem got to the point where an administrator's first question when troubleshooting a system would be, 'Is SELinux turned on?' He said SELinux is turned off in his data center, and he won't consider reactivating it until his district's planned migration to RHEL 5 is complete.

Nevertheless, Red Hat's Walsh said the SELinux 'complexity problem' could be waning. He recently dissected SELinux, the application security technology that now comes turned on by default in Red Hat Enterprise Linux 5, during a session at the annual Red Hat Summit in San Diego. SELinux was included in RHEL 4, but only now can Walsh and other SELinux experts safely say: 'Leave SELinux on everywhere.'

'RHEL 4 was like a demonstration of the technology,' Walsh said. 'We had confined it to a certain amount of domains, or 15 targeted programs [within RHEL], that applications had access to.'

With RHEL 5, however, the number of targeted systems was ratcheted up to 200. Again, he said, 'The goal [with RHEL 5] is too leave SELinux on everywhere.'

SELinux: Complex, but Troubleshooter could help

One expert who knows SELinux better than most is author and SELinux expert Frank Meyer.

'I won't accuse anyone specifically of putting that [complexity] idea out there, but the perception is there because SELinux has the ability to protect everything the Linux kernel provides,' he said. 'The Linux kernel itself is complex and you have to address everything [it] provides.'

To Meyer, when a user says SELinux is too complex to be deployed effectively, it's like they're saying they can't use the Linux kernel because they don't know how to write a device driver. 'Logically, it just doesn't make sense,' he said.

To address this perception, Red Hat has introduced SELinux Troubleshooter in RHEL 5. Also known as settroubleshoot, SELinux Troubleshooter is a tool that watches the audit log files for access vector cache (AVC) messages."

(Read Original Article .)