O’Reilly news

"SELinux": Stave Off the Zero-Day Vulnerability Threat (Straight from the NSA)

November 12, 2004

Sebastopol, CA--There are few things as critical to a system administrator's work as security. According to Bill McCarty, author of SELinux: NSA's Open Source Security Enhanced Linux (O'Reilly $39.95), as the number and variety of software vulnerabilities and attacks continue to accelerate, security is probably the most important topic in computing today. But the ongoing search for a more secure operating system has often left everyday production computers far behind their experimental research cousins. SELinux (Security Enhanced Linux) dramatically changes this situation.

McCarty, who has been tracking SELinux on his technology radar for several years, previously had not considered it a workable solution for the typical sys admin. "It didn't seem easy enough, or robust enough, for dependable use by Linux system administers," he recalls.

But recently SELinux has come of age. "I now believe that SELinux is the most important computing technology for Linux users that I've seen in the last several years," states McCarty. "Obviously, others agree that SELinux is important and useful: SELinux has been incorporated into Fedora Core, Gentoo, and SUSE Linux." In addition, the new Red Hat Enterprise Linux 4, expected to release in first quarter 2005, will be a fully supported Linux distribution featuring SELinux.

SELinux emerged from research by the National Security Agency and implements classic strong-security measures such as role-based access controls, mandatory access controls, and fine-grained transitions and privilege escalation following the principle of least privilege. It compensates for the inevitable buffer overflows and other weaknesses in applications by isolating them and preventing flaws in one application from spreading to others. The scenarios that cause the most cyber-damage these days--when someone gets a toe-hold on a computer through a vulnerability in a local networked application, such as a web server, and parlays that toe-hold into pervasive control over the computer system--are prevented on a properly administered SELinux system.

The key, of course, lies in the words "properly administered." A system administrator for SELinux needs a wide range of knowledge, such as the principles behind the system, how to assign different privileges to different groups of users, how to change policies to accommodate new software, and how to log and track what is going on. And this is where SELinux is invaluable.

"Readers learn how to install, initially configure, and maintain Linux systems using SELinux. Properly configured SELinux systems are expected to be highly resistant to compromise," says McCarty. His goal in writing the book was to demystify SELinux for everyday users: "It's not written for experienced SELinux policy developers and other geniuses, as much as I respect them and appreciate their contributions to SELinux. Instead, the book is written for the typical system administrator who's trying to figure out how to keep bad guys out of the systems for which he or she is responsible.

Topics in the book include:

  • A readable and concrete explanation of SELinux concepts and the SELinux security model
  • Installation instructions for numerous distributions
  • Guidelines for basic system and user administration
  • A detailed dissection of the SELinux policy language
  • Examples and guidelines for altering and adding policies
  • With SELinux, a high-security computer is within reach of any system administrator. If you want an effective means of securing your Linux system--and who doesn't?--this book provides the means.

    Additional Resources:

    SELinux
    Bill McCarty
    ISBN 0-596-00716-7, 238 pages, $39.95 US, $57.95 CA
    order@oreilly.com
    1-800-998-9938; 1-707-827-7000

    About O’Reilly

    O’Reilly Media spreads the knowledge of innovators through its books, online services, magazines, and conferences. Since 1978, O’Reilly Media has been a chronicler and catalyst of cutting-edge development, homing in on the technology trends that really matter and spurring their adoption by amplifying “faint signals” from the alpha geeks who are creating the future. An active participant in the technology community, the company has a long history of advocacy, meme-making, and evangelism.

    Email a link to this press release