SELinux Odds and ends

  • What is Security Enhanced PostgreSQL ? Good overview from Kaigai Kohei, with cute diagrams.

    SEPostreSQL diagram

  • Schneier blogs about the future of security as a standard feature, eliminating the “best of breed vs suites” decision:

    That they’re forced to spend money on IT security is an artifact of the youth of the computer industry. And sooner or later the need to buy security will disappear.

    It will disappear because IT vendors are starting to realize they have to provide security as part of whatever they’re selling.

    Interesting article, but the concept of shipping security features by default is significantly established and even pioneered within FOSS. For example, the idea that mandatory access control could be enabled by default, in a general purpose OS, was I think unheard of until SELinux was released as a standard part of Fedora.

    Linux systems have many best of breed security features available as standard, typically for free: firewalling, PAM, OpenSSH (thanks OpenBSD folk), binary protection, code review, vulnerability response, audit, crypto, network stack hardening, and so on. The inclusion of such features as standard, rather than expensive, layered products with vendor lock-in written all over them, is itself an innovation in computer security. An innovation which is being adopted by major OS vendors.

    I was surprised to see Bruce interviewed a few months back, being asked what he thought Linux had contributed to security, and to see him answer something along the lines of merely raising the bar for Windows. That may be true to an extent, but I think he seems to underestimate (or not understand) the direct value provided now to the millions of systems running Linux, many of which are running all kinds of critical workloads. We’re talking stock exchanges, large banking systems, Google, telephone exchanges, cell phones, supercomputers, file and print servers, much of the web, mail servers, routers, hospitals, military, government, and almost anything you can think of. FOSS achievements stand alone, and frankly, have enabled progress which simply would otherwise not have occurred.

  • For those who may have missed it, Linuxworld covered SELinux mitigation of vulnerabilities. I was interviewed for this, which I think is the first time I’ve been interviewed for a magazine.
  • Government Computer News has coverage of the Labeled NFS effort on its front page today. Dave Quigley presented on the topic this week at IETF 71 — it’ll be very interesting to see how that turned out, as IETF acceptance is a critical requirement for the project.