SELinux aims for security certification and credibility among cautious IT purchasers

By Grant Gross

The Cyberspace Policy Institute at The George Washington University is launching an effort to get international security ratings for the U.S. National Security Agency-driven Security Enhanced Linux project, a move that organizers hope will make Linux more attractive to cautious technology purchasers, including government agencies.

Martin R. Dean, senior security researcher at the Cyberspace Policy Institute (CPI) and principal engineer at Science Applications International Corp., said SELinux still needs some enhancements, such as becoming a fully integrated operating system instead of a patch to Red Hat Linux, but the institute is starting to look for partners to help guide the ultra-secure Linux distribution through the rigorous EAL4 security certification, known formally as the Common
Criteria for Information Technology Security Evaluation

Dean spoke at a panel discussion on SELinux, one of the last events at the FOSE technology-in-government trade show Thursday. Other panelists were Peter Loscocco, the SELinux project leader at the NSA; Tony Stanco, senior policy analyst for Open Source and e-government at CPI and founder of; and Mark Westerman, senior consultant with network security company Westcam and administrator of the SELinux project at

Microsoft is currently trying to get the EAL4 for its Windows 2000 OS, and Dean argues that for Linux to be competitive at places like government agencies, where security ratings are used as a big evaluation tool for buying technology products, SELinux also needs the EAL4 rating.

CPI will coordinate activities like looking for developers and seeking sponsors to finance the security rating. The plan is to seek security ratings from the United States and at least one other country, possibly Great Britain, because some countries have different security standards, and some non-U.S. users might not trust the U.S. rating, Dean said.

Among Dean’s goals is making SELinux easier to install and configure. Loscocco admits SELinux, which NSA released to the public in January 2001, is still hard for non-experts to set up.

NSA’s SELinux documentation includes a sample security policy, but configuring the fine-grained controls, down to what programs individual users can run, does take some knowledge, Loscocco said.

Westerman has written a graphical installer that’s a first step to pitching SELinux to mainstream users. “What we’re looking at is getting the operating system to the point where we can roll it out to an elite IT organization, or where a user can run it on the desktop,” Dean said. “What we looking at is getting the SELinux patch and the Linux operating system to the point where it’s a robust operating system, so it’s not just the small thing that sits on the server, but on everybody’s desktop.”

Dean expects that gaining the security rating will take a couple of years. “What we’re going to have in a couple of years is an operating system that’s been evaluated … and an operating system that’s as easy to use as other operating systems,” he said.

During the panel discussion at FOSE, Loscocco and Westerman talked about the benefits of SELinux. Westerman described a customer’s experience with a cracked DNS server, which was cracked a second time as soon as the customer reloaded the DNS software.

“At that point in time, I grabbed my CDs … and we loaded the SELinux kernel and left everything else identical on the system — same DNS server with the same vulnerability,” he said. “We were watching that hacker hack into the DNS server to perform his buffer overflow and try to execute all the programs.” But with SELinux’s mandatory access controls, the hacker couldn’t execute a program once inside the box even though he had root access.

“With SELinux, we’re not as worried about the next buffer overflow,” Westerman said.

Among the 30 audience members were several Microsoft booth workers. One asked a couple of questions about the SELinux project, including, ironically, whether changes made to ready it for the security certification would be released back to the community under the GNU General Public License. Panelists said that although the rules of security certification and the GPL sometimes conflict they were looking at ways to resolve the potential problems. Among those issues: A security certified operating system that’s had outside changes made to it may lose its certification, and a distribution that’s downloaded from a site that’s not part of the official certification channels loses its certification, Westerman said.

However, Loscocco said his goal would be to release changes back to the GPL, and Dean argued that companies and government agencies looking for the security certification seal of approval may only need to see it once to trust a product.

“You need that check mark,” Dean said. “It’s important for organizations that have greater security needs than the norm to have this assurance process done.”