Red Hat last week released Fedora Core 3, the latest version of its cutting-edge Linux distribution, including a redesigned version of Security Enhanced Linux (SE Linux).
While the software is aimed at developers and enthusiasts, it is seen as a testing ground for technologies that can later be built into the enterprise distribution, Red Hat Enterprise Linux (RHEL). SE Linux is a case in point: Red Hat and other SE Linux developers have used the feedback from the version included in Fedora Core 2 to make the system more usable in the real world.
It's clearly a method that works: Novell paid Red Hat the compliment of aping this twin-track modus operandi with the release of its desktop-targeted Novell Linux 9.
Originally developed by the U.S.' National Security Agency (NSA), SE Linux implements Mandatory Access Control (MAC) in the Linux kernel using a framework called Linux Security Modules (LSM). The idea is to give administrators granular permissions for all subjects, such as users, programs and processes, and objects, such as files and devices, giving them just enough access to function.
The SE Linux model addresses a problem with current computing models where malicious or flawed software running with root or normal user privileges -- planted by a worm, for example -- can't be controlled. Such security-oriented features are likely to become ever more important to the enterprise as threats increase and companies become generally more dependent on IT, Red Hat believes.
Core 2 included SE Linux, but it was not installed by default; in addition, it used the NSA's "strict" policy, which Red Hat said turned out to be too restrictive to be used as a default. In response, developers came up with a new "targeted" policy, turned on by default in Core 3, which only locks down automatic processes (called daemons) that are particularly important or vulnerable.
The affected daemons include named, httpd, dhcpd, portmap, squid, nscd, syslogd, snmpd and ntpd. Users have the option of switching on the "strict" policy or uninstalling SE Linux entirely.
Besides SE Linux, Core 3 includes the 2.6.9-1.667 kernel, Gnome and KDE desktop software and Novell's Evolution 2.0 groupware client, among other software. Red Hat is making x86 and x86-64 binaries available via its Web site, various mirrors and a peer-to-peer BitTorrent download.