Dan Walsh has been giving some RHEL security presentations recently, and I thought the slides were pretty cool, so here they are in PDF form. They include a nice overview of the comprehensive security features available in RHEL, including SELinux, ExecShield and PIE. The slides are obviously written from a Red Hat point of view, but also apply to Fedora and any of the distros incorporating the same features.
I’ve been reviewing papers for the SELinux Symposium, and am very impressed with the quality and scope of the activity within and around the SELinux community. Much progress continues to be made in many areas, including usability (as can also be seen by tracking SELinux News).
The release of Fedora Core 6 has unleashed many of the SELinux infrastructure and usability improvements, such as modular policy and setroubleshoot. There’ve been some nice reviews, like Fedora Core 6: Innovations Continue from eweek:
Review: The fast-moving Red Hat distribution polishes SELinux, adds new tools and improves performance.
In its first five releases, Red Hat’s Fedora Core has represented the Linux technology vanguard. And so it is with Fedora Core 6.
During tests, Fedora Core 6 impressed eWEEK Labs with the progress it has made toward making Security-Enhanced Linux—and the dramatically improved security protections that SELinux helps afford—more palatable.
Of course, it’s not perfect yet, but it’s reassuring to see that people will come back and re-evaluate things you’ve been working to improve.
One analogy I like to use is to think of SELinux as a major, fundamental change in computer security, with the integration of Mandatory Access Control into general purpose computing. Like any significant change, it can be a long and difficult road, and really a matter of effort and persistence once you have the fundamentals in place. So, the progress of SELinux is perhaps like the development of programming languages, where you had a progression from machine code to assembler, then to higher level languages like C, Perl and Ajax. I’d say, with SELinux, that we’re past the assembly and 3GL phase and are moving to scripting and graphical IDEs. Just like you wouldn’t say computers are too complicated because Joe Random can’t understand the Intel® 64 and IA-32 Architectures Software Developer’s Manual, it is nonsensical to say that SELinux is fundamentally too complicated because of its underlying architecture. In fact, SELinux is merely revealing the true extent of the complexity of the security interactions in the OS, and providing a flexible mechanism to control it. Usability is entirely a matter of developing the right abstractions. You can’t pretend complexity isn’t there, but you can hide it. On the other hand, if your fundamentals are wrong, no amount of eye candy can help.
FC6 also features a bunch of improvements in virtualization (e.g. virt-manager and Cobbler), and I hope that we can make Fedora the place to go for the latest and greatest in this area, too (if it’s not already?) I’ve created a virtualization category on the Fedora Project wiki, to collect together the various related pages there. One area that I’m directly involved in is hypervisor research & development. We’ve moved some of our internal (RH) project planning & tracking stuff out to the wiki: see here. If you’re interested in this area, the Fedora project will warmly welcome any contributions.
I’m sad to say I won’t be able to make it to FOSS.IN this year, due to family commitments. It’s one of a few top-tier technical conferences, alongside the likes of LCA and Linux-Kongress, and is especially exciting because of the stunning rate of growth of the community in India. (btw, these global Internet growth stats are very interesting, where India has had over 1000% Internet growth since 2000, which I suspect correlates strongly with FOSS growth). The Final List of Talks looks fantastic.
I wonder which country will be the next to establish a major Linux technical conference. (Japan?)