Red Hat To Support SE Linux In Enterprise Linux 4.0

Red Hat Enterprise Linux 4.0, due out in 2005, will include support for Security-Enhanced Linux (SE Linux), according to a spokeswoman from the Raleigh, N.C.-based commercial Linux vendor.

SE Linux is a project funded by the National Security Agency (NSA) to add multilevel security to the Linux operating system so it will be more secure for a broad range of deployments, including those that require high levels of security.

In an e-mail to CRN this week, Linus Torvalds said much of the code to enable SE Linux is already a part of the recently released Linux kernel, 2.6. The Linux camp has been stepping up its efforts to make current and future versions of Linux as secure as possible in light of all the security issues around Microsoft Windows, such as last week's MyDoom virus, the ramifications of which are still being felt.

At the EclipseCon show in Anaheim, Calif., earlier this week, Red Hat CTO Michael Tiemann stressed Red Hat's commitment to SE Linux as part of its Fedora open-source project in a keynote address Wednesday.

Calling multilevel security such as that in SE Linux the "Holy Grail" of system security, Tiemann said SE Linux would be the default security policy of the next version of Fedora, due out soon.

Red Hat introduced Fedora in late 2003 as an open-source Linux project for "noncritical environments," according to Red Hat. Many believe Fedora was created to stave off criticism from the open-source community that Red Hat is too focused on the commercial aspects of Linux rather than its open-source roots.

Tiemann said Linux itself is believed to be a more secure operating system than most. However, Linux does have its vulnerabilities, though they haven't yet been as widely attacked as those in Windows.

One key vulnerability in Linux is that once a hacker accesses its root, the whole system is compromised, Tiemann said. According to the NSA Web site on SE Linux, the SE Linux kernel solves this problem because it has "no concept of a 'root' superuser and does not share the well-known shortcomings of the traditional Linux security mechanisms."

Instead, SE Linux enforces mandatory access control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs, according to the NSA. When confined in this way, the ability of user programs and system daemons to cause harm when compromised is reduced or eliminated.

Tiemann outlined an instance of how SE Linux is more secure than traditional Linux in his EclipseCon keynote Wednesday. He said that in a security test on a previous version of Red Hat Linux in 1999, it took only 45 seconds for a hacker to break into the system. A recent test on a version of Linux running SE Linux as its security policy still has yet to be cracked, even though the IP address of the system was published to would-be hackers and the root had no IP address.

"Wouldn't it be great if we could think about building apps and OSes and tools to build applications with that strength [security] model?" Tiemann said.

But vendors and IT decision-makers widely believe it is too expensive to implement these more hacker-resistant security models, he said.

Tiemann said he is optimistic that projects like the Eclipse open-source development framework could inspire development of these secure systems because they take the development of security off the shoulders of individual corporations and put it in the hands of the community at large.

"Eclipse gives me hope because Eclipse provides the opportunity for a very targeted approach for defining, visualizing and implementing all the policy files [needed for multilevel security]," Tiemann said. "Tools that provide the kind of assistance that Eclipse can provide can give the open-source community that kind of acceleration to put policy files around."

Paula Rooney contributed to this story.