In the last few weeks, there have been three significant events in the adoption of SELinux and Type Enforcement. They’re all exciting, and each is a testament to the long-term success and viability of the TE approach. Even more exciting, though, is the fact that none of these announcements came from Red Hat. After carrying the flag for so long, it’s gratifying to see other communities join the effort to make serious security a standard feature in general-purpose operating systems.
First, Sun has announced that they will be porting Flask to OpenSolaris in cooperation with the NSA, calling it Flexible Mandatory Access Control, or FMAC. If this sounds familiar, it should - it’s very similar to the deal NSA and Red Hat struck in 2004, when SELinux was just gaining interest from a broad audience.
While Sun obviously isn’t working on SELinux, they’ll be taking Type Enforcement, the theory behind SELinux, and bringing it to the OpenSolaris project. This is gratifying to Red Hat, of course, as this is significant endorsement of the TE approach. The work will be in OpenSolaris and not Solaris proper, and it’s not clear how the Flask work will be ported from OpenSolaris to Solaris, but nevertheless I’m sure I speak for everyone on the SELinux team at Red Hat in welcoming Sun to the fold.
Second, SELinux is now available on the new Ubuntu release, Hardy Heron. In the past, SELinux has been stigmatized by being a “Red Hat” thing, or a “Fedora” thing, even though Gentoo and Debian have incorporated it in the past. With the addition of another high-profile distribution, that seems to be changing.
Third, the good people at Tresys and the rest of the SELinux team have released a new Reference Policy for SELinux. This new policy adds a very exciting new feature: support for XACE/XSELinux. In other words, the framework is now in place to label an OpenOffice document window as “Company Confidential” or “Secret,” and enforce rules around how data in that window can be used. At the same time, Red Hat has contributed support for a number of new features, including confined users, so you can say “let this person log in, but don’t let them run X Windows or use the network,” or “let this staff member log in, but only let him manage the web server.” Imagine how useful it would be to have these features and that kind of protection in every Linux distribution. Even private sector customers can appreciate how useful it could be for HIPPA or SOX compliance.
Viewed from a distance, I think there are a few reasons for this sudden surge in interest:
First, SELinux is now much easier to use that it’s been in the past. Customers I talk to have moved from “It’s a pain, I always turn it off” to “I know I should use it, I’ll get to it eventually.” That’s a non-trivial improvement, due in no small part to the outstanding work done by Dan Walsh and the rest of the Red Hat team on tools like setroubleshoot.
Second, SELinux is slowly moving out of the narrow government market and into more general-use applications. As more security risks emerge, and the tools become more flexible and useful, folks see the utility of securing and compartmentalizing their systems. Vendors and distributions are responding with a tested and proven security solution like SELinux, and Type Enforcement generally.
Third, in the government space, it’s becoming clear that TE is the only way to accurately and securely model the complex interactions between agencies and coalition partners. Trusted Solaris 8, the 800 pound gorilla in this market, is near the end of its useful life. The upgrade path to Solaris 10 Trusted Extensions is less than simple. For many use cases, especially those involving a large number of security enclaves, Solaris 10 and its Zones-based approach simply can’t do the job. Customers are hungry for more straightforward alternative that can support even complex use cases, and they’re all taking a long hard look at SELinux.
So, I’m proud that Red Hat has taken a leadership role in this field. We have been a visible cheerleader for TE and SELinux for years, and it’s gratifying to see the community grow. With luck, the Fedora, OpenSolaris, and Debian communities can all work together, each learning from the other’s mistakes, and ultimately deliver the best and most flexible security available. That way, everyone wins.
About the author
Browse by channel
Automation
The latest on IT automation that spans tech, teams, and environments
Artificial intelligence
Explore the platforms and partners building a faster path for AI
Open hybrid cloud
Explore how we build a more flexible future with hybrid cloud
Security
Explore how we reduce risks across environments and technologies
Edge computing
Updates on the solutions that simplify infrastructure at the edge
Infrastructure
Stay up to date on the world’s leading enterprise Linux platform
Applications
The latest on our solutions to the toughest application challenges
Original shows
Entertaining stories from the makers and leaders in enterprise tech
Products
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Cloud services
- See all products
Tools
- Training and certification
- My account
- Developer resources
- Customer support
- Red Hat value calculator
- Red Hat Ecosystem Catalog
- Find a partner
Try, buy, & sell
Communicate
About Red Hat
We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.
Select a language
Red Hat legal and privacy links
- About Red Hat
- Jobs
- Events
- Locations
- Contact Red Hat
- Red Hat Blog
- Diversity, equity, and inclusion
- Cool Stuff Store
- Red Hat Summit