Prior to Dec. 22, 2000, IT security was viewed as almost a customized process, particularly in the public sector. When a particular government agency or branch wanted a secure IT platform for classified computing, they often had to request a “trusted” variant of an existing UNIX operating system, like Trusted Solaris or Trusted IRIX. This was an incredibly expensive endeavor for vendors, who had to allocate significant technical and engineering resources to the task, with these costs ultimately passed onto the small number of customers needing this functionality. The National Security Agency (NSA) eventually decided that they wanted security “by default” and turned to the burgeoning Linux operating system to build a solution that would answer this need.
On Dec. 22, 2000, the NSA released their code to the wider open source world in the form of SELinux, and in doing so forever changed the security landscape of not just Linux, but the technology world at large. A combination of policies and security frameworks, SELinux is one of the most widely-used Linux security modules. Without these innovations, Common Criteria, a crucial government security certification, would likely not exist for Linux.
This is not to say, however, that SELinux has remained static since inception. As computing has evolved, so too has SELinux, driven by a broad community of support with significant contributions from end users within US public sector and defense agencies, as well as from within Red Hat, our partners and the broader open source community. Originally built with singular systems in mind, SELinux policies have evolved to address many different security scenarios and use cases. Such scenarios can affect not only physical systems, but also virtual machines and cloud-based workloads as well as the growing set of security challenges facing Linux containers and the general boom in mobile and edge devices (like those for the Internet of Things).
Red Hat is proud to have been one of the earliest corporate backers of SELinux and we believe so strongly in the technology that we deliver it as the default standard for Red Hat Enterprise Linux, Red Hat Enterprise Linux OpenStack Platform, Red Hat Enterprise Virtualization, OpenShift by Red Hat, Red Hat Enterprise Linux Atomic Host, and our entire portfolio of technologies that build on the Red Hat Enterprise Linux foundation. For us, SELinux served as one of the earliest proof points for open source security features, providing a tangible and ready answer for individuals and organizations that tested the security features of the open source model.
With the question of open source security long behind us, we are now focused on providing an even more flexible security model through SELinux. With the rise of composite, distributed applications that can span hundreds of physical and virtual machines as well as disparate cloud instances and Linux container deployments, one-off usage of SELinux is not enough. Instead, we are focused on providing “defense in depth” for modern computing scenarios, effectively building and deploying SELinux policies at each level of the datacenter.
This “Russian nesting doll” style of security, delivered through the flexibility of SELinux, is designed to provide layers of protection, so that should one layer fail, more stand ready to face the threat. This is why Red Hat has built SELinux, and enabled it by default, across our portfolio, along with our other key security components including tools like OpenSCAP.
As should be very obvious from Red Hat’s widespread adoption of the technology, SELinux isn’t just for government and defense agencies anymore. SELinux also provides the default security features in Android (starting with the Lollipop release), moving beyond the datacenter and now securing a gamut of IT deployments, from mobile device systems to enterprise data center systems of record, offering security features from the mobile endpoint.
After 15 years, we, along with a robust community, continue to enhance the features and capabilities of SELinux, with a particular focus on integrating SELinux with management and monitoring tools to streamline administration and security operations. We are also constantly evaluating how SELinux handles a multi-tenant world, especially in cloud and Linux container scenarios, and are working closely with our customers and end users across the public and private sectors to drive these innovations.
So here's to the 15 years of SELinux and to the SELinux community, and to many, many more!
About the authors
Gunnar Hellekson is vice president and general manager for the Red Hat® Enterprise Linux® business. Before that, he was chief strategist for Red Hat’s U.S. Public Sector group. He is a founder of Open Source for America, one of Federal Computer Week’s Fed 100 for 2010, and was voted one of the FedScoop 50 for industry leadership. Hellekson was a founder of the Military Open Source working group, a member of the SIIA Software Division Board, the Board of Directors for the Public Sector Innovation Group, the Open Technology Fund Advisory Council, New America’s California Civic Innovation Project Advisory Council, and the CivicCommons Board of Advisors.
Prior to Red Hat, Hellekson worked as a developer, systems administrator, and IT director for a number of internet businesses. He has also been a business and IT consultant to not-for-profit organizations in New York City. During that time, he spearheaded the reform of safety regulations for New York State’s electrical utilities through the Jodie Lane Project.