Red Hat has undoubtedly done more to make SELinux usable than any other
organization, but has it actually reached the point where it can be enabled
by default for all desktops? The Fedora project clearly thinks so. Not only
is SELinux enabled, but the installer no longer has an option to disable
it or to put it into "permissive" mode. Most of the posts in a thread on
the fedora-devel mailing
list see that as the right choice, but some are not so sure.
Jon Masters started things off by making a request to restore the
installation option, giving several reasons summing up with:
But there are numerous other justifications I could give, including my
personal belief that it's absolutely nuts to thrust SE Linux upon
unsuspecting Desktop users (who don't know what it is anyway) without
giving them the choice to turn it off.
His reasons were unconvincing to many as he was not considered to be a
"normal" desktop user; the things he was doing were much more technical
than the users that are being targeted by the SELinux policies distributed
with Fedora 9. The problems he reported were resolved quickly, but the
fact remains that there are paths through Fedora—even just using
desktop applications—that will result in SELinux-caused failures.
The Red Hat SELinux team is very responsive, but users will get frustrated
quickly if things they are trying to do fail in mysterious (to them) ways.
Alan Cox argues against providing an installation choice because he doesn't
think users have enough context to make a sensible choice. He likens it to a
car with multiple choices for safety features:
"This car has brakes, enable them ?"
"Would you like the seatbelts to work ?"
"Shall I enable the airbag ?"
When push comes to shove, Masters and a few others see the default of
SELinux installed in "enforcing" mode as being too restrictive. It is
likely to cause users to become annoyed with Fedora as a whole because one
or more paths through the applications have not yet been tested. That,
unfortunately, is the crux of the issue: SELinux policies are being
developed in a reactive manner based on testing applications and adding
exceptions for actions they perform.
As a security tool, SELinux is a good choice, because it essentially denies
everything by default. Policies are added that will allow certain actions
for users and applications. Its complexity is legendary, however, which is why
Red Hat (and others) have made a substantial effort to make it work
semi-invisibly. They started by generating policies for network-facing
services and have now moved into securing desktop applications,
particularly programs like web browsers which are increasingly the target
SELinux has three modes, disabled, which turns off SELinux,
permissive, which just logs attempts to do things that violate the
enforcing, which disallows any access that is denied by the policies.
When getting applications to work with SELinux, permissive mode is typically
used. The log messages are analyzed to determine what changes should be
made to the policies or to the application so that they work
together. If there are features that were not tested in the application that
require additional privileges, the first user that tries that feature in
enforcing mode will run into trouble.
When that happens, SELinux can be put into permissive mode with a simple
GUI or configuration file change, followed by a reboot. One of the
problems is that users may very well not know that SELinux is the source of
their problem. There are tools, like SETroubleShoot, that can help alert users, but it is still a
frustrating, hard to comprehend problem at times. Once the user has
"fixed" the problem by disabling SELinux, they are unlikely to turn it back
It is a difficult choice, but Fedora is firmly on the side of forcing
non-technical users into using SELinux, at least until it breaks. More
technical users will know about SELinux and, perhaps, be able to make more
One of Red Hat's SELinux developers, James Morris, neatly sums up the reasons it is important to
continue pushing SELinux:
The only way to really make progress in improving security is to make it a
standard part of the computing landscape; for it to be ubiquitous and
generalized, which is the aim of the SELinux project.
Punting the decision to the end user during installation is possibly the
worst option. It's our responsibility as the developers of the OS to both
get security right and make it usable. It's difficult, indeed, but not
There are efforts underway to add easier ways for users to report SELinux
log messages, perhaps even in an automated way, so that policy or
application problems get identified and fixed more quickly. While it may
not be easy for long-time Linux users to adjust to an SELinux-enabled
system, it is getting to the point where average users, who never use
the command line, rarely run into problems. And those are just the kind of
users who need the level of security that SELinux can provide.
Comments (72 posted)
Those who have followed the GNOME project over the last few years have seen
the wishlist item for a "business manager" or "executive director" for the
GNOME Foundation; the subject was especially likely to come up during
Foundation board elections. This position has remained unfilled for some
time, seemingly a result of uncertain funding and the difficulty of finding
the right person. These problems would appear to be in the past now; on
July 7, the GNOME Foundation announced
that this position would be filled by Stormy Peters, formerly of OpenLogic.
Stormy now has the challenge of helping an energetic and independent-minded
development community build on its success and achieve its ambitious goals
for the future. We asked her a few questions about how she thought that
might go; here's what we got back.
LWN: This is a new position, in that the GNOME Foundation has never had an
executive director before. So people may be wondering what you'll
actually be doing. How do you expect to be spending your time in this
Actually, the GNOME Foundation has had an executive director before
but not for the past few years. I will spend my time strengthening
relationships with the existing sponsors, working on finding new
industry partners and helping the Board of Directors and the
community execute some of their great ideas for GNOME. The GNOME
community's goal is to provide an easy to use, intuitive interface
for Linux and Unix as well as a powerful development platform.
A year from now, what do you hope your biggest accomplishments will be?
The GNOME community has a tremendous amount of passion and a real
dedication to making a development platform and a desktop that is
easy to use. I think showing the world that, getting the word out
and showing how it is changing the way people are able use their
computers and mobile devices is key. So to answer your question,
I'd like to see a stronger Foundation (more sponsors and members),
increase the amount of great ideas that get executed, and make
GNOME a household name. :)
Next year, it seems reasonably likely that there will be a combined
GNOME/KDE developers conference in Europe. What are your thoughts on the
current state of cooperation with KDE, and how do you think it could be
I hope we have a combined GUADEC/Akademy next year. KDE and GNOME
have been working more closely together during the past year or so
and they have accomplished some good things like with dbus. I think
anytime you get great developers together, good things happen.
One high-profile GNOME goal was 10x10 - 10% of the desktop market by 2010.
In mid-2008, it seems fairly clear that this goal will not be achieved. Do
you think that the desktop remains a suitable target for free software, or
should GNOME deemphasize the traditional desktop in favor of other goals?
I do think that a free and open source desktop is still a great
goal. While the number of free and open source desktops out there
might be small, it is growing tremendously. Just look at the number
of laptops that ship with GNU/Linux (from Dell, Asus and other) as
well as the number of mobile devices that are based on free and
open source software.
Though the GNOME Foundation is not intended to control the technical
direction of the project, it clearly cannot be without influence there.
Are there technical directions you would like to see the development
community take, directions which would help to convince manufacturers to
incorporate GNOME technologies and contribute to GNOME development?
I'll be working closely with the community and the board of
advisors to figure out how I can best help with technical
directions. One thing we'd like to see from our sponsors - through
our board of advisors - is more information on what end-users would
like to see in GNOME.
In the past you have spoken about how introducing money into free software
development can have a demotivating effect on developers. Do you fear that
sort of problem as GNOME becomes more commercially successful? How would
you hope to avoid that kind of difficulty?
I don't think it's an issue in the short term as growing the GNOME
Foundation doesn't directly correspond to hiring lots of
developers. But that said, I think the key is maintaining the
intrinsic motivations that make GNOME contributors such a
passionate group of developers.
Thanks to Stormy for being kind enough to answer our questions in the
middle of what must have been a highly busy time at GUADEC in Istanbul.
Comments (6 posted)
Google's purchase of YouTube always seemed questionable to some observers:
it looked as if Google were buying itself a whole new source of copyright
lawsuits. One of the benefits of that purchase came through on
July 2, when a U.S. District Court ordered Google to hand over its
complete set of YouTube traffic logs, containing information about every
video viewed on the service. See
for the full text of the order. If this order stands (and it
appears that Google will not appeal it), millions
of users worldwide will have their viewing data handed over to a litigious
entertainment industry company. There's a couple of important implications
to draw from this turn of events, so LWN will venture a little far afield
and take a look.
The data involved includes, for each video viewed, the time, which video
was involved, which YouTube user account was used, and the IP address the
request came from. Viacom claimed that the privacy of YouTube users is not
threatened by this release of data, and the court agreed. But account
names can be correlated across sites, and IP addresses (especially
time-correlated IP addresses) can easily identify exactly who was watching
a particular video. Viacom promises it would never use this data to launch
enforcement actions against individuals; the fact that the company feels
the need to make that promise suggests that Viacom feels it could
use this data to that end.
One other interesting aspect of the ruling which has been commented upon
less is this: Google has also been ordered to hand over every video which
has been removed from the site. Once again, that is a great deal of data.
It also drives home the point that, on a site like YouTube, nothing is
really removed: all of those "removed" videos are still there, waiting for
some company with enough lawyers to go after it.
All of this data is to be handed over regardless of what jurisdiction the
users thought they were in. Nobody's privacy or data retention laws apply
here. This is a worldwide compromise of personal data.
So lesson number one is obvious: attending to one's personal security
requires being very careful about the data tracks that one leaves on other
data sharing laws, that data is there for the grabbing. The course of
events which led to the compromise of vast amounts of video-viewing data
can also lead to the disclosure of electronic mail, accounting data, online
chat sessions, purchase histories, software downloads, or which edgy Second
Life neighborhood one likes to hang out in. Indeed, records of video
viewing activity are more strongly protected in the U.S. than many other
types of data; other types of information may well prove easier to get.
What we leave on remote
machines seems to stay there indefinitely, and it's an open book for those with
sufficient legal power on their side.
If you gather together that much
information on the behavior of many millions of people, somebody,
somewhere, is going to try to get their hands on it.
The second lesson is for anybody running a publicly-available server, as
many LWN readers do. The video activity database being grabbed by Viacom
is said to be about 12 terabytes deep - before getting into the
"removed" videos. It should not be surprising that a data stash of that
size would attract this kind of action. If you gather together that much
information on the behavior of many millions of people, somebody,
somewhere, is going to try to get their hands on it. How could it possibly
be any other way?
Not enough people are asking this question: why does Google/YouTube hold
that much data about its users? Why does it retain the ability to replay
their actions years after the fact? And why do "removed" videos not go
away? If that data did not exist in the first place, there would be no
question of disclosing it to an attacking corporation. A company which
keeps that amount of data around is prioritizing whatever commercial value
it sees in that data over the privacy and security of its users. And, by
inviting raids from corporations (which we hear about) and governments
(which we might not hear about), such companies are not helping their own
So there are strong arguments for simply not retaining all that data in the
first place. Naturally, some governments are doing their best to force
that kind of retention, but that's a different battle. In the absence of
legal constraints, a standard policy mandating short data retention periods
makes a lot of sense. It behooves all of
us to think about what kind of data we leave lying around - either through
our activities or by facilitating the activities of others - and to keep it
to a minimum. The most secure data is data which does not exist.
Comments (37 posted)
Page editor: Jonathan Corbet
Next page: Security>>