Security-enhanced Linux (SELinux), introduced in Red Hat Enterprise Linux 4, has a strong access control architecture incorporated into the major subsystems of the Linux kernel. Developed by the National Security Agency as a research prototype, SELinux provides a mechanism to enforce the separation of information based on confidentiality and integrity requirements. By allowing threats of tampering and bypassing of application security mechanisms to be addressed, SELinux enables the confinement of damage that can be caused by malicious or flawed applications. This allows the Linux operating platform to support stronger levels of security.
Red Hat concurs with security experts that a secure operating system is the cornerstone for system security and information assurance. Furthermore, Red Hat believes that SELinux can provide a best practices approach for transparent, universal system security and information assurance.
Protects Key Applications
Many applications are designed in such a way that they need to run as root, giving the application more access than is required. In a traditional system, an attacker that manages to compromise such an application could attain a root shell. From there, the attacker can access password files or install spam-forwarding software. If a firewall exists on the server, the attacker could alter the firewall rules to open even more access to an organization's internal network.
With SELinux, the attacker is limited by the access allowed for the application. The rules are defined by the system or the application, not individual users. For example, if an attacker was able to compromise a web server and attain a root shell, he or she can only perform the functions available to the web server, such as read files from a specified directory, or run scripts in another directory. The attacker would be prevented from seeing anything outside of those areas, greatly limiting the potential for damage.
No Added Administration
In a default installation of Red Hat Enterprise Linux, SELinux plugs into the Linux Security Module (LSM) to handle access requests at the kernel level for multiple common network-facing applications. The SELinux-based security for these applications requires no extra administration and is transparent to users and applications.
Integrated into Mainstream Operating System
SELinux is provided as a feature within Red Hat Enterprise Linux, rather than as a separate product. This is a key advantage for customers, who can deploy SELinux and maintain the full ISV support available to Red Hat Enterprise Linux.
Additional SELinux Functionality
For customers interested in an even greater level of security, the functionality of SELinux can be extended. Policies can be written for additional applications, or a 'strict' environment can be deployed where mandatory access controls protect all resources on the system. For assistance in enabling advanced security functions, contact Red Hat Professional Services.
Try SELinux Today
SELinux functionality is currently available in Red Hat Enterprise Linux 4.