• United States



Linux, the Government, and SE-Linux

Jun 30, 20073 mins
Data and Information Security

The US Federal Government has a love-hate relationship with Linux and OSS in general.  Some agencies love it and the flexibility it brings.  Some agencies hate OSS and its seemingly headless, formless management.  One agency I’ve worked with would only use OSS if you could testify that you had reviewed every line of the source code.The Navy CIO a couple of weeks ago issued a memorandum considering acquisition of OSS to be the same as COTS–Commercial off-the-shelf (ie, shrink-wrap software).  This is a very progressive step in the eyes of Linux fans because now our product is on the same footing as “the competition”.

But this is a blog about Linux security, not government procurement regulations (drool, bored, drool)….

Inside the Government, you have quite a bit of support for developing solutions on Linux.  Quite a few of the pieces of a Linux distro at all layers of the OS were either created or contributed to by the government.

Which brings us to SE-Linux.  It made a huge splash when it was first developed by the NSA, but it’s been languishing around since then as a lab project that never went mainstream (as much as Linux software can be considered “mainstream”).  I think the biggest problem with adoption is that it’s geeky, almost too geeky to understand unless you really want to dive into how an OS kernel and core libraries and applications work.I think the question that the public has about SE-Linux is “What can it do for me?”  If system administrators don’t understand a technology, then they won’t be able to see the value in using it, especially when it adds yet another layer of complexity and abstraction.Basically the concept with SE-Linux is that you have an extra set of access policies called Mandatory Access Control.  MAC means that you have the ability to limit and fine-tune what a user or application is allowed to do or not to do.  Think filesystem permissions on steroids and applied to any resource that a user or program could need.The beautiful part of MAC is that vulnerabilities in software become not as critical in a system using MAC.  Just because you can compromise a service/daemon running on a server doesn’t necessarily mean that you have permissions to exploit the rest of the machine.Really when you start looking at SE-Linux, it’s exactly the kind of innovation that we need in the OS space.  If done correctly, we don’t have to run the rat race of vulnerability detection and exploitation as hard or as far as we are today.


Michael Smith is the Chief Information Security Officer with a managed services provider based in Reston, Virginia. His scope of responsibility includes both providing governance and managing risk for several data centers, Security Operations Center, Network Operations Center, Server Management Team, and several disaster recovery sites. Michael started his adult life as a Russian Linguist in the US Army and migrated from there to Linux system administration and on to the security world. He is a member of the ISM-Community Steering Committee and teaches government information assurance through the Non-Profit Potomac Forum . Michael is both a Certified Information System Security Professional (CISSP) and an Information System Security Engineering Professional (ISSEP). You can read Michael's non-Linux personal blog at .