Linux, the Government, and SE-Linux

The US Federal Government has a love-hate relationship with Linux and OSS in general.  Some agencies love it and the flexibility it brings.  Some agencies hate OSS and its seemingly headless, formless management.  One agency I’ve worked with would only use OSS if you could testify that you had reviewed every line of the source code.The Navy CIO a couple of weeks ago issued a memorandum considering acquisition of OSS to be the same as COTS–Commercial off-the-shelf (ie, shrink-wrap software).  This is a very progressive step in the eyes of Linux fans because now our product is on the same footing as “the competition”.

But this is a blog about Linux security, not government procurement regulations (drool, bored, drool)….

Inside the Government, you have quite a bit of support for developing solutions on Linux.  Quite a few of the pieces of a Linux distro at all layers of the OS were either created or contributed to by the government.

Which brings us to SE-Linux.  It made a huge splash when it was first developed by the NSA, but it’s been languishing around since then as a lab project that never went mainstream (as much as Linux software can be considered “mainstream”).  I think the biggest problem with adoption is that it’s geeky, almost too geeky to understand unless you really want to dive into how an OS kernel and core libraries and applications work.I think the question that the public has about SE-Linux is “What can it do for me?”  If system administrators don’t understand a technology, then they won’t be able to see the value in using it, especially when it adds yet another layer of complexity and abstraction.Basically the concept with SE-Linux is that you have an extra set of access policies called Mandatory Access Control.  MAC means that you have the ability to limit and fine-tune what a user or application is allowed to do or not to do.  Think filesystem permissions on steroids and applied to any resource that a user or program could need.The beautiful part of MAC is that vulnerabilities in software become not as critical in a system using MAC.  Just because you can compromise a service/daemon running on a server doesn’t necessarily mean that you have permissions to exploit the rest of the machine.Really when you start looking at SE-Linux, it’s exactly the kind of innovation that we need in the OS space.  If done correctly, we don’t have to run the rat race of vulnerability detection and exploitation as hard or as far as we are today.