LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Linux in the news
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

LWN.net Weekly Edition for February 2, 2012

A tempest in a toybox

LWN.net Weekly Edition for January 26, 2012

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Distributions

News and Editorials

Security-Enhanced Fedora Core 2

January 14, 2004

This article was contributed by Ladislav Bodnar

According to this development schedule, Fedora Core 2 will enter a period of feature freeze next week, which should be followed by its first beta release on February, 2. The two main new features of the product will be Linux kernel 2.6 and SELinux functionality. The capabilities of the new kernel have been extensively documented and we also mentioned some of the more prominent ones in last week's coverage of the pre-beta release of Mandrake Linux 10.0, but what exactly is "SELinux functionality"? And how will it affect the users of Fedora Core?

First, some background on Security-Enhanced Linux, or SELinux for short. Developed by the US National Security Agency, Security-enhanced Linux is a research prototype of the Linux kernel with enhanced security. It contains new architectural components, which provide support for enforcement of mandatory access control policies that confine user programs to the minimum amount of privilege they require to do their jobs. In other words, users running SELinux can define explicit rules about what subjects (users and programs) can access which objects (files and devices). It can be thought of as an internal firewall with the ability to separate programs, thus ensuring a high level of security within the operating system. SELinux is distributed under GPL.

The concepts of mandatory access control have been incorporated into the 2.6 kernel series. This is perhaps one of the less glamorous aspects of the new kernel, interesting only to security experts and system administrators running mission critical servers. Yet, it is one of the most fundamental and far-reaching changes in the 2.6 kernel series and it will have major implications on the way we run Linux servers. Up until now, all default Linux kernels had a concept of a "superuser", with complete access to all files and devices on the system. This concept has now been modularized into several alternative security modules. While the concept of a superuser remains available, administrators will also be able to choose from one of the more restrictive modules at boot time, in which case certain programs and files will not be accessible to the superuser. Even if an attacker is successful in obtaining superuser privileges (as was the case in the recently compromised Debian machines), the attacker will not be able to modify the critical parts of the system - there is no such thing as "chmod 777" on a SELinux system.

Unfortunately, the kernel itself only provides the means for mandatory access control together with an example of how to create one's own access control policies. It is up to Linux distributions to create and implement a system that includes these controls and integrate them with the rest of the product. It is obvious that Red Hat's main goal is to include these controls into a future Red Hat Enterprise Linux release, but not before they are implemented and well-tested on Fedora Core, starting with the upcoming Fedora Core 2. This could be a major selling point of the company's enterprise line of products; of the major distributions, only Debian and Gentoo, both of which are non-commercial projects, have implemented SELinux functionality into their respective distributions.

How does this access control mechanism work in practice? On a standard Linux system not enhanced by SELinux, an attacker might get root privileges in cases where a program or process running as root is compromised (through buffer overflow or misconfiguration). If that happens, the attacker has unlimited access to the entire system. The situation is different on a system running SELinux with properly defined access control policies. If a program or process running as root is compromised, the damage is limited to whatever the process can access. Yes, trying to access files as root on an SELinux system can return "permission denied"!

This is what Red Hat/Fedora's role in the entire process is - write access control policies for applications and provide ways for users to customize these policies. The policies can get fairly complex and thorough understanding of the SELinux Policy Document is essential for effective use of the SELinux features. It will be interesting to see Red Hat's implementation of these policies and we will certainly revisit the subject once we've been through the first few weeks of Fedora Core 2 beta testing. For those who'd like to start looking into the subject straight away, this page provides an excellent collection of SELinux-related links.

Comments (2 posted)

Distribution News

Debian GNU/Linux

The Debian Weekly News for January 13, 2004 is out. This week Taran Rampersad talks about GNU/Linux, usability, freedom; packages.debian.org has been restored, even better than before; an argument supporting non-free; and much more.

BugWatcher 0.22 is now available. It is a graphical tool for viewing and editing bug reports. The package name is debbuggtk and it should be available on a mirror near you.

DebianPlanet takes a look at Planet Debian. "A very cool site which has already made it into my daily reading bookmark folder, and is tempting me to take up blogging too..."

Comments (none posted)

Fedora Core

Fedora News Updates #2 is out, with all the latest Fedora news.

This glibc update fixes lots of bugs in the regular expression matcher and speeds it up. It fixes a couple of other bugs as well.

Dave Jones has made a patched 2.4.22 kernel available, with EXT2/3 fixes from 2.4.25pre and some 2.4.23pre patches.

This php update includes the latest stable release of PHP 4 with a large number of bug fixes since the previous 4.3.3 release.

Comments (none posted)

Gentoo Weekly Newsletter - Volume 3, Issue 2

The Gentoo Weekly Newsletter for the week of January 12, 2004 is out. This issue announces the winners of the 2003 Gentoo Bug Hunt and much more.

Full Story (comments: none)

Mandrake Linux

The first issue of the Mandrake Linux News Digest, dated January 12, 2004, is out with a look at MandrakeMove, Mandrake Linux for AMD64, Mandrake 10.0 Pre-Beta, and more.

A kdebase-servicemenu update is available for Mandrake Linux 9.1. The update corrects problems in zipping files via konqueror.

Comments (none posted)

Embedded Linux distro supports TI DSP-based digital media processors (LinuxDevices)

LinuxDevices takes a look at Monterey Linux, a distribution from Pigeon Point Systems. "According to Pigeon Point, Monterey Linux is a narrowly focused Linux distribution that emphasizes high quality, cost-effective support for selected System-on-Chip (SoC) processors, including the TMS320DM310, TMS320VC547x, and TMS320DA180. These chips provide a general purpose CPU, a C54x DSP, and numerous peripheral interfaces on a single inexpensive, low-power chip."

Comments (2 posted)

Getting and installing NetBSD-current (NewsForge)

NewsForge delves into the process of getting and installing NetBSD-current. "The BSD family of Unix-like operating systems evolved from the last release of 4.4BSD, released by the University of California some years ago. As with Linux, they have full releases and a live CVS tree. This article discusses why you might want to run the -current branch of NetBSD, how you would go about it, and a bit of what could go wrong."

Comments (none posted)

New Distributions

Blue Linux and J.A.M.D. Linux merge

The Ares Desktop has been created by merging two existing projects, Blue Linux and J.A.M.D. The merger creates a larger pool of developers with the common goals of building a free operating system for computers aimed at the educational, home and small business markets.

Full Story (comments: none)

Gentoo For Zaurus

Gentoo For Zaurus is a port of the Gentoo Distribution to the Zaurus PDA, based on Cacko X11 Rom and The Emerde Project. It can be mounted over NFS so no changes to a current configuration are needed. It includes a native gcc environment for ARM, the zgcc-3.3.1 cross compiler for the main PC with distcc configured so that the main PC does the actual compiling, and X11 for testing applications. The current version is 0.2, dated January 12, 2004.

Comments (1 posted)

LinuxDefender

LinuxDefender Live! CD is a Rescue CD based on Knoppix. It features full NTFS write support (using Captive). It also includes instant antivirus and antispam SMTP protection, which is managed via Webmin. Desktop antivirus protection is integrated into the KDE interface, using BitDefender for Linux technology. The first version of the LinuxDefender Live! CD (2003-12-18) was launched at the Romanian LUG event LinuxConf 2003.

Comments (none posted)

XoL - Diskless X office Linux

XoL is a diskless Linux "Live CD" distribution from the makers of SoL (Server optimized Linux). Nothing is written to the hard drive unless the user really wants to save it. It offers both KDE and GNOME, OpenOffice.org, and USB storage device support for storing data. XoL joins the list at version 17.00o.BETA, released January 14, 2004.

Comments (none posted)

Minor distribution updates

Buffalo Linux

Buffalo Linux has released v1.1.0 with major feature enhancements. "Changes: This major release includes five kernels, all based on 2.4.24. It also includes the available updates from Slackware "current". Many bugfixes were made, and much better integration with Codeweavers CrossOver Office was added. The 2.4.24 kernels for i486, i586, i686, ipent3, and ipent4 are also available as separate downloads. These can be used to upgrade the earlier "rc3" release to the latest kernel."

Comments (none posted)

Feather Linux

Feather Linux has released v0.3.2 with minor feature enhancements. "Changes: A dpkg-get script has been added. The Opera install script has been tweaked. gpart, socat, prozilla, traceroute, and Midnight Commander have been added. nedit has been replaced with SciTE because of space reasons."

Comments (none posted)

Fli4l

Fli4l (Floppy ISDN/DSL) has released development v2.1.5 with minor feature enhancements. "Changes: This version adds a new kernel (2.4.23 with security fix from 2.4.24), a new version of BusyBox, and a new DNS server (dnsmasq). It now supports the AVM Fritz!Card DSL SL. Support for LCDs with "Winamp" wiring was added. dropbear was added as an SSH2 server; using SSH1 is now deprecated. There are new features for the W-LAN package. There is a VPN package with OpenVPN and CIPE. There are also many bugfixes."

Comments (none posted)

GoboLinux

GoboLinux has released v010 with major feature enhancements. "Changes: Among the new features are a new installer, hardware detection, and new custom themes. As usual, several packages were also upgraded, including KDE 3.1.4, GCC 3.3.2, XFree86 4.3 (with NVidia support), Glibc 2.3.2, and OpenOffice 1.1. The ISO is simultaneously an installation disc and a Live CD."

Comments (none posted)

Local Area Security Linux

Local Area Security Linux has released v0.4.1 with major feature enhancements. "Changes: All packages have been upgraded to current. There is a new theme, background, and many other menu and cosmetic improvements. Many packages have been added to increase the size to 210 MB." Note: a smaller version is still available.

Comments (none posted)

Rock Linux

Rock Linux has released v2.0.0-rc4 with minor feature enhancements. "Changes: This release updates many package (including gcc33, gdb, alsa, subversion, xscreensaver, rdesktop, gimp, epiphany, galeon, and cpufreqd), adds packages (such as xfig, transfig, nxcomp, and nxproxymany), improves the download system, and improves partitioning in the installer."

Desktop Rock v2.0.0-rc3 has also been released. "Changes: This release is based on ROCK Linux 2.0.0-rc3 and so features the various package version updates and additions, as well as the improved download system, and enhanced partitioning in the installer."

Comments (none posted)

SLAX

SLAX has released v3.0.25 with major feature enhancements. "Changes: SLAX is now based on version 3.0.25 of the linux live scripts. This version features KDE 3.2beta2 and KOffice 1.3rc2, and uses overlay filesystem (ovlfs) to make the CD and the whole root filesystem pseudo-writable. More enhancements: Floppy automounting was added. KDE language support was added for Czech (cs), German (de), Brazilian (pt_BR), and French (fr). HorizSync was modified in the X config file in an attempt to get a better display. Mouse detection was enhanced. The monkeyd httpd server was added with its home in /root/public/www. The "nopcmcia" kernel parameter was added."

Comments (none posted)

ThePacketMaster

ThePacketMaster has released v1.2.0 with major security fixes. "Changes: This release updates the kernel to 2.4.24 to address issues found in 2.4.23 and earlier. It adds new packages for forensic analysis and vulnerability testing. /usr is now in a cloop filesystem for a smaller ISO image. XFree86 is now included, as well as the Enlightenment window manager, the Mozilla Web browser, and Java."

Comments (none posted)

Page editor: Rebecca Sobol
Next page: Development>>

Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds