Tuesday, August 01, 2006

SELinux: is it really more secure?

If you're out of touch with recent Linux development (like me), chances are you might have encountered SELinux—Security-Enhanced Linux (probably in a bad way) while trying new distros or maintaining/updating your favorite packages.

I'm all for better security, having been a sysadmin in the past, but I must confess SELinux baffles. The idea seems simple enough: introduce security context for subjects (processes/users) and objects (files/devices), utilizing all 'the security-relevant information available', and not just rely on 'authenticated user identity'.

What I still don't understand (I'm a little lazy right now to sit & read through mountains of documentation) is how older programs and packages are supposed to work with SELinux? Last week I installed Qmail+Courier+Squirrelmail, and every individual package troubleshooting page would contain a note about disabling SELinux!

This is reminiscent of how J2ME security model ends up being an obstacle to user adoption rather than increase the sense of users' security when installing an application on their mobile...

More links here on SELinux.

No comments: