is a distribution
produced by the U.S. National Security Agency. It is based on the Linux
Security Module architecture (which is not yet part of the 2.5 kernel).
SELinux provides a whole set of mandatory access control features to
protect parts of the system from each other. There is no "root" user in
SELinux. Even if a server process is compromised, it is highly limited in
the damage it can do to the rest of the system.
According to the license
page, SELinux is freely distributable under the terms of the GPL. It
looks like a high-quality and useful contribution to the Linux community.
There is a potential problem, however. Much of the actual work in the
implementation of SELinux was done by Secure Computing Corporation
(SCC). SCC, in its implementation of SELinux, used a technology that it
enforcement. As it turns out, SCC has a patent on this technology.
Concerns over the type enforcement patent are not new - they were first
raised back in 2000. At that time, SCC put up an SELinux FAQ stating:
: Will SCC use its patent on Type Enforcement TM to
restrict use, future development, derivative work, or release of the
source code of the system?
There will be no restrictions on the use of TE by the Linux open source
We will release source code for all the modifications to the existing
kernel and for a general-purpose security policy engine under the GPL.
Recently, this page has been removed from the SCC web site - a move which
should be of concern to anybody who is relying on web-based promises about
access to patented technology. For now, the cached
copy on Google is still available, though. Grab a copy while you can -
web-posted promises can be ephemeral things.
More recently, in a conversation on the Linux Security Module list, an SCC
employee made a rather different statement:
SELinux includes Type Enforcement technology developed and patented
by the Secure Computing Corporation, who still holds rights to all
commercial use of the technology. Before a colo company, or anyone
else uses the technology commercially, it will be necessary to
negotiate a license with Secure Computing. If anyone wants to do
so, I can help get the ball rolling with our Legal and BD folks.
This, of course, puts a damper on many possible uses of SELinux, as well as
negating any claims of GPL licensing. Projects which have used some of the
SELinux code, such as the Debian SE effort, are having to reconsider.
It would appear that SCC has not really decided what its policy is going to
be; a message has been posted stating:
We would like to set the record straight with a clear statement,
and we will do that soon. However, we want to avoid creating more
confusion, so we are going to take a little time to reflect before
we respond. My initial response was intended to let people know
that the licensing issues have not yet been resolved.
So, SCC may eventually do the right thing (from the free software
community's point of view) and preserve the free licensing of SELinux.
(This cause will probably not be helped by sending inflammatory
mail, by the way). Either way, this situation shows, yet another time, the
sort of threat that software patents pose to free software.
to post comments)