Weekly Edition
Return to the Front pageRecent Features
| |||||||||||||
Book review: SELinux![[Cover]](/images/ns/selinux-book.png)
The NSA's Security Enhanced Linux project is controversial. To some, it is
the future of Linux computing; with SELinux, many of our current security
nightmares will cease to trouble us. To others, SELinux is a morass of
complexity which is difficult, if not impossible, to understand well enough
to get any sense of whether it is configured in a secure way or not. This
whole situation is not helped by the current state of SELinux
documentation. There are few resources out there for people wanting to
know how SELinux works, how to manage it, or even whether to try to adopt
it.
There is, however, a new book on the shelves: SELinux: NSA's Open Source Security Enhanced Linux, by Bill McCarty. At 254 pages, this book is relatively thin by contemporary technical book standards. It offers a finicky editor a fair number of things to grumble about, but those grumbles should not overshadow the important point: this book is an important step in the process of bringing SELinux to a level where software developers and system administrators can make some sense of it. Let's get the grumbles out of the way first. The book shows some signs of having been written and produced in a hurry; as a result, it has more than the desirable number of typos and contradictions. It talks alternately about the runcon and run_con command, for example. It claims that "domain" and "type" are interchangeable terms for the same concept, then says "Recall that a general type is one not related to a specific domain." Readers are directed to the kernel source (said to be found in the deprecated /usr/src/linux directory) to associate a device name with a major number when a quick look at /proc/devices would do the job. We are told "SELinux is generally stable and free of trouble," which would, by itself, strain many readers' ability to suspend disbelief, but then the author suggests avoiding using X on SELinux systems, or, if that is impractical, learning to love GNOME to avoid problems with KDE. And so on. The reader finds these things often enough that they become a significant distraction from the real content of the book. The book starts with a general overview of SELinux, including the obligatory set of scary statistics on the frequency of attacks. A number of approaches to security are looked at, including, of course, mandatory access control schemes. The second chapter is a quick overview of SELinux, where the important concepts (roles, types) are introduced. The two mechanisms which can cause type/domain transitions (file creation and exec() calls) are introduced. Everything is fairly vague at this point, but the discussion is enough to let some of the important ideas sink in. The author then takes a diversion into how to install SELinux on several distributions, with special attention paid to Debian, Fedora, and Gentoo. This information will certainly be useful to some readers, but (especially in the future) most readers are likely to find SELinux on their systems already. If you are trying to figure out how to make your Fedora system work, Chapter 3 will just be a distraction. (Incidentally, the book covers Fedora Core 2). Chapter 4 gets into high-level SELinux administration: turning enforcement on and off, installing new policies, dealing with file labels, etc. There is useful stuff here, but the presentation leaves a little to be desired. For example, loading policies requires the use of the newrole command (which will remind old-time Unix users of the obnoxious newgrp command made necessary by certain vendors' kernels which could only handle membership in one group at a time). Policy loading is covered before newrole, however, leading to a fair number of forward references in the text. Reordering the discussion would have made things easier to follow. That said, this chapter provides a reasonable start for administrators trying to find their way around their SELinux systems. The next three chapters form the technical core of the book, with detailed descriptions of the language used to define role-based access control and type enforcement rules. There's lots of cute railroad diagrams for those who want pictures, and a detailed examination of how the policy for the ping utility is put together. If you are trying to make sense of the policy files that come with your SELinux distribution, these chapters provide the information that you will need. The book then winds down with a chapter on ancillary policy statements and one giving some pointers on how to carry out simple policy changes. A topic which is missing entirely is how one might design a security policy from the beginning. The implicit assumption is that few, if any, readers will have such ambitious goals; they will, instead, be trying to make things work with the policy shipped by their distributor. That is probably a good assumption; designing an SELinux security policy from the beginning is not for the faint of heart. Still, as we'll explore in a companion article, there may be reasons for wanting to take on such a project. Meanwhile, if SELinux takes off the way many people clearly expect it to, there will be a strong need for developers and administrators who truly understand how it works. For that reason, your editor predicts that this book will become required reading for a lot of people. For all of our quibbles, we must say that Mr. McCarty has succeeded in shedding some much-needed light into a dark and difficult corner of Linux systems administration. (Log in to post comments)
Book review: SELinux Posted Nov 18, 2004 16:47 UTC (Thu) by basso (guest, #1063) [Link] I'm afraid that O'Reilly's standards have been in decline for at least a few years. The editing is frequently just slipshod.
I think that the problem is often due to rushing web content into print without allowing enough time for changes to reflect the differences between the two media. Standards are higher for books, and O'Reilly doesn't seem to be taking that into account.
I'm disappointed to say this, because I remain an admirer of the company, and of Tim O'Reilly himself. And I will be buying a copy of this book despite your quibbles.
Book review: SELinux Posted Nov 20, 2004 23:50 UTC (Sat) by Method (guest, #26150) [Link] There is something to be said for this comment, "A topic which is missing entirely is how one might design a security policy from the beginning."..
This topic could be a literal book by itself and very few people in the world would be qualified to write it. Very much thought has to go into deciding high level security goals. The problem with most people writing policies now is that they want to merely 'encapsulate' the status quo of their system in policy form. This is what systems with 'learning mode' do, and what pretty much every vendor SELinux policy does at the moment.
Just an SELinux DTE Policy Posted Dec 5, 2004 3:25 UTC (Sun) by AnswerGuy (guest, #1256) [Link] I believe that comment was referring specifically to an SELinux DTE (domain type enforcement) policy and not to an enterprise policy for an entire organization. My problem with SELinux in general is the complexity of these policies. They might provide a workable solution for organizations that can devote whole teams of qualified developers and other personnel to developing, testing, and maintaining these policy files. However, they are not practical for the lone sysadmins at smaller organizations, nor even for small systems administration teams and most mid-sized installations and that serve the departments of some of the larger decentralized enterprises. I still say that systrace offers the right balance of features and simplicity for most of us, and provides features that I haven't seen from any of the many other security enhancement patches and packages for Linux.
Jim Dennis
Book review: SELinux Posted Nov 27, 2004 10:14 UTC (Sat) by Switched (guest, #2475) [Link] Readers are directed to the kernel source (said to be found in the deprecated /usr/src/linux directory)/usr/src/linux is deprecated?
|
|||||||||||||