Use RHEL5 to defend SELinux

Article Title: Uses RHEL5 to defend SELinux. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

Security Enhancement Linux (Security Enhanced Linux), which is known as the launch of SELinux, is a powerful and controllable tool for IT managers to ensure the Security and stability of Linux systems. SELinux is the implementation of mandatory access control developed by the National Security Agency (NAS). Currently, SELinux has been integrated into most mainstream Linux versions.

"SELinux can prevent theft, spread junk information, and prevent" worms "from attacking websites ." "He is also a formal participant in The SELinux project," said Dan Walsh, chief software engineer at Red Hat. IT managers should enable SELinux in all aspects of the data center at any time, according to woson.

The problem is that many users now turn SELinux off (SELinux has been built into the Red Hat Enterprise Edition Linux system ).

SELinux open source security technology is widely recognized in terms of ensuring high security, and is also considered too complicated. RHEL 5 (Red Hat Enterprise Linux 5) contains a large number of new tools and management features to solve this problem, but is it too late?

SELinux: facts and Cognition

"The biggest problem with SELinux is people's perception of it," said Jim Klein, information service and technology director at the Saugus school district in California, "It is notorious for its early lack of configuration tools and troubleshooting tools, which is why people choose to disable it."

Klein said, unfortunately for SELinux advocates, when managers check for system faults, the first problem is often "is SElinux enabled ?" He also said that SELinux is disabled in his data center and that he does not intend to restore the region to its active State unless the region is switched to the RHEL5 schedule.

Even so, the Red Hat company still said that the "complexity problem" of SELinux will be gradually solved. At the Red Hat annual summit in San Diego, he said he recently broke down SELinux. Currently, application security technology is enabled by default in Red Hat Linux5 Enterprise Edition. RHEL4 also contains SELinux, but only after RHEL5 appears can he and other SELinux experts safely claim "Let SELinux open everywhere ".

"RHEL4 is like an example of this technology," says James. "We divide it into a certain number of domains, or 15 target program groups that can be accessed by applications ."

However, in RHEL5, there were 200 target program groups. Again, he reiterated that "RHEL5's goal is to make SELinux unfeasible ."

SELinux: complicated, but the troubleshooting tool can help

As a writer and SELinux expert, Frank Meyer knows more about SELinux than most people.

"I don't want to condemn people who specifically raise the 'complicate 'issue," he said. But this perception is generated because SELinux has the ability to protect any transactions provided by the Linux kernel, and the Linux kernel itself is very complicated ."

In Meyer's view, when users claim that SELinux cannot be effectively configured because it is too complex, it is equivalent to claiming that they cannot apply the Linux kernel because they do not know how to write a device driver. "Logically, this is meaningless ." He said.

In response to this perception, Red Hat has introduced the SELinux fault interpreter (Troubleshooter) in RHEL5, And the Troubleshooter is also called the settroubleshoot ), it is a tool used to monitor audit records of access Vector high-speed cache (AVC) messages.

According to the Fedora Project Website, users, system administrators, and developers often encounter AVC denial conflicts. The Fedora Project Website is where most SELinux and Red HatLinux architecture tests are conducted. After SELinux is fully debugged and properly configured, AVC rejection is only triggered by actual security intrusion. However, because SELinux is still a new technology and its policies are still under development, most AVC denial is not caused by actual security intrusion. In addition, the user is still learning to configure SELinux, which is also a reason for AVC rejection.

At present, when AVC refuses to happen, the troubleshooting tool runs The SELinux plug-in database to find the matching and sends a message containing the problem description and suggestions to the user. Industry observers such as Meyer and Walsh believe that this tool can help users distinguish between real problems and false alerts, distinguishing between real problems and false alarms is the main reason that hinders the application of SELinux in IT managers.

Klein said that the troubleshooting tool is a popular additional tool, but it may be too late to help solve SELinux's cognitive problems. He said that the troubleshooting tool and its similar type are the starting points for managers to seriously consider whether to re-enable SELinux. "However, "the difficulty is to persuade people who have considered SELinux as the 'root cause of all problems 'not to simply close it when the problem occurs."

So far, Saugus has disabled SELinux on most servers, said Klein. In the process of maturing SELinux tools and policies, traditional settings are used as the default settings to ensure application security.