is a distribution
produced by the U.S. National Security Agency. It is based on the Linux
Security Module architecture (which is not yet part of the 2.5 kernel).
SELinux provides a whole set of mandatory access control features to
protect parts of the system from each other. There is no "root" user in
SELinux. Even if a server process is compromised, it is highly limited in
the damage it can do to the rest of the system.
According to the license
page, SELinux is freely distributable under the terms of the GPL. It
looks like a high-quality and useful contribution to the Linux community.
There is a potential problem, however. Much of the actual work in the
implementation of SELinux was done by Secure Computing Corporation
(SCC). SCC, in its implementation of SELinux, used a technology that it
enforcement. As it turns out, SCC has a patent on this technology.
Concerns over the type enforcement patent are not new - they were first
raised back in 2000. At that time, SCC put up an SELinux FAQ stating:
: Will SCC use its patent on Type Enforcement TM to
restrict use, future development, derivative work, or release of the
source code of the system?
There will be no restrictions on the use of TE by the Linux open source
We will release source code for all the modifications to the existing
kernel and for a general-purpose security policy engine under the GPL.
Recently, this page has been removed from the SCC web site - a move which
should be of concern to anybody who is relying on web-based promises about
access to patented technology. For now, the cached
copy on Google is still available, though. Grab a copy while you can -
web-posted promises can be ephemeral things.
More recently, in a conversation on the Linux Security Module list, an SCC
employee made a rather different statement:
SELinux includes Type Enforcement technology developed and patented
by the Secure Computing Corporation, who still holds rights to all
commercial use of the technology. Before a colo company, or anyone
else uses the technology commercially, it will be necessary to
negotiate a license with Secure Computing. If anyone wants to do
so, I can help get the ball rolling with our Legal and BD folks.
This, of course, puts a damper on many possible uses of SELinux, as well as
negating any claims of GPL licensing. Projects which have used some of the
SELinux code, such as the Debian SE effort, are having to reconsider.
It would appear that SCC has not really decided what its policy is going to
be; a message has been posted stating:
We would like to set the record straight with a clear statement,
and we will do that soon. However, we want to avoid creating more
confusion, so we are going to take a little time to reflect before
we respond. My initial response was intended to let people know
that the licensing issues have not yet been resolved.
So, SCC may eventually do the right thing (from the free software
community's point of view) and preserve the free licensing of SELinux.
(This cause will probably not be helped by sending inflammatory
mail, by the way). Either way, this situation shows, yet another time, the
sort of threat that software patents pose to free software.
Comments (6 posted)
hit the wires on June 12: a new company called "Deersoft"
was announcing existence as a spam-fighting company. Deersoft, as it turns
out, is an attempt to commercialize SpamAssassin
, a highly effective,
free spam filtering system.
SpamAssassin is certainly a good base to start with. We first started
using it here at LWN some months ago; as one might imagine, LWN's public
email addresses get substantial amounts of spam. SpamAssassin filters out
the vast majority of that spam (though, we notice, its hit rate has fallen
a little recently) with almost no false positives. The SpamAssassin
developers have provided us a real service.
Deersoft is following a reasonably common strategy for companies built
around a free software package: offer a value-added, proprietary version of
the program. In this case, Deersoft is selling "SpamAssassin Pro," which
brings SpamAssassin's capabilities to Microsoft Outlook. A 30-day demo
version can be downloaded from the company's web site.
The idea of charging Outlook users as a way of supporting SpamAssassin
development has a certain appeal. There is, however, a considerable list of
contributors who were, it seems, not asked whether it was permissible
to distribute their code under a proprietary license. SpamAssassin is
licensed under the Artistic License, which is a little vague on just when
this sort of distribution is allowed. LWN has talked with a couple of
people who have contributed code to SpamAssassin; they recognize
the significant role that Deersoft principal Craig Hughes has taken in
SpamAssassin development and seem to not begrudge the use of their
contributions in this manner.
One hopes that development of the free version of SpamAssassin will
continue. The press release makes encouraging noises in that regard:
Craig Hughes makes his ongoing dedication to the open software
community clear, "Deersoft is committed to supporting the open
source community, and is pleased to announce the release today of
The lack of an actual 2.3.0 release on SpamAssassin.org as of this writing,
one presumes, is just the result of some last-minute delays.
Free software companies have had a hard time since the bubble burst; it
really is harder to make money when the code is freely available.
SpamAssassin is a great counterexample to the often-made claim that free
software can only imitate, not innovate. Wouldn't it be nice if it also
helped provide a good example of a successful business built around free
Comments (none posted)
issued by the Alexis de Tocqueville Institution has been extensively
covered elsewhere. For those who may have missed it, here are the core points:
- The "open source helps terrorists" line that featured prominently in
advance press release is gone. Security issues are touched on,
and the "security through obscurity" argument for proprietary software
is presented, but the claim that open source assists terrorism has
- Instead, the report is another attack on the GPL, featuring most of
the usual arguments and some new ones as well. For example, the
report claims that processing your code with a GPL-licensed tool
(i.e. emacs or gcc) could force your code to be released under the
GPL, which is nonsense.
- The quality of the research and writing is, in general, not what one
There are persistent claims that this report was directly funded by
Microsoft, though nothing has been demonstrated in any definitive way. For
the curious, this PoliTech
posting documents many of the (numerous) past ties between Microsoft
and the Institution.
(See also: this
point-by-point rebuttal to the report by Leon Brooks).
Comments (2 posted)
Page editor: Jonathan Corbet
Next page: Security>>