SELinux and patents [LWN.net]

SELinux is a distribution produced by the U.S. National Security Agency. It is based on the Linux Security Module architecture (which is not yet part of the 2.5 kernel). SELinux provides a whole set of mandatory access control features to protect parts of the system from each other. There is no "root" user in SELinux. Even if a server process is compromised, it is highly limited in the damage it can do to the rest of the system.

According to the license page, SELinux is freely distributable under the terms of the GPL. It looks like a high-quality and useful contribution to the Linux community.

There is a potential problem, however. Much of the actual work in the implementation of SELinux was done by Secure Computing Corporation (SCC). SCC, in its implementation of SELinux, used a technology that it calls type enforcement. As it turns out, SCC has a patent on this technology.

Concerns over the type enforcement patent are not new - they were first raised back in 2000. At that time, SCC put up an SELinux FAQ stating:

Question 6: Will SCC use its patent on Type Enforcement TM to restrict use, future development, derivative work, or release of the source code of the system?

There will be no restrictions on the use of TE by the Linux open source community.... We will release source code for all the modifications to the existing kernel and for a general-purpose security policy engine under the GPL.

Recently, this page has been removed from the SCC web site - a move which should be of concern to anybody who is relying on web-based promises about access to patented technology. For now, the cached copy on Google is still available, though. Grab a copy while you can - web-posted promises can be ephemeral things.

More recently, in a conversation on the Linux Security Module list, an SCC employee made a rather different statement:

SELinux includes Type Enforcement technology developed and patented by the Secure Computing Corporation, who still holds rights to all commercial use of the technology. Before a colo company, or anyone else uses the technology commercially, it will be necessary to negotiate a license with Secure Computing. If anyone wants to do so, I can help get the ball rolling with our Legal and BD folks.

This, of course, puts a damper on many possible uses of SELinux, as well as negating any claims of GPL licensing. Projects which have used some of the SELinux code, such as the Debian SE effort, are having to reconsider.

It would appear that SCC has not really decided what its policy is going to be; a message has been posted stating:

We would like to set the record straight with a clear statement, and we will do that soon. However, we want to avoid creating more confusion, so we are going to take a little time to reflect before we respond. My initial response was intended to let people know that the licensing issues have not yet been resolved.

So, SCC may eventually do the right thing (from the free software community's point of view) and preserve the free licensing of SELinux. (This cause will probably not be helped by sending inflammatory mail, by the way). Either way, this situation shows, yet another time, the sort of threat that software patents pose to free software.

(Log in to post comments)

SELinux and patents

Posted Jun 13, 2002 11:12 UTC (Thu) by forthy (guest, #1525) [Link]

Definitely. The GPL says - in the preambel - "To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all." If the patent is only valid in certain countries (like RSA was in the USA only), a GPL'd software could be restricted to those areas where the patent is null and void.

Unfortunately, the GPL doesn't say what "everyone's free use" really is. Is it ok if the patent is limited to GPL'd programs (Free Software)? Is it ok if the patent is limited to OpenSource programs? Can these patents be used as defensive weapon against evil empires that try to sue free software programmer with their patents (while at the same time using patents granted by shipping GPL'd source)?

SELinux and patents

Posted Jul 31, 2003 3:25 UTC (Thu) by spirogyra (guest, #13510) [Link]

Basically, SCC has weakened but probably not broken the enforcability of their patent and wasted a lot of peoples time.

SELinux and patents

Posted Jun 14, 2002 1:27 UTC (Fri) by abredon (subscriber, #2038) [Link]

Since SCC released under the GPL, they effectively have to license their patent for free use by any derivative. Section 7 of the GPL:

7. ... For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. ...

if SCC intends to not permit royalty free redistribution of the program, they are not allowed to distribute. They distributed, therefore they can be held to have permitted royalty free distribution under the GPL. Since they are both the patent holder AND the distributing party, if they try to charge for use of the patent, they are violating the GPL contract they signed by making a derivative work, and thus lose all rights they have to make said derivative work.

End result: If they do decide to charge for the patent, there is effectively no such thing as SELinux, and both SCC and the NSA must stop distributing it - a public relations land mine that SCC should not want to step on, not to mention that the NSA would not like to find out that they can not distribute SELinux due to SCC having broken a contract, after having announced the release of SELinux QUITE publicly.