>>SELinux Mailing List

Contents

Overview

What's New

Frequently Asked Questions

Background

Documentation

License

Download

Participating

Mail List

Archive Summary

Archive by Thread

Archive by Author

Archive by Date

Archive by Subject

Remaining Work

Contributors

Related Work

Press Releases

Re: SE-Linux versions, features, stability?

From: Stephen Smalley <sds_at_tislabs.com>
Date: Tue, 9 Oct 2001 10:53:26 -0400 (EDT)

On Mon, 8 Oct 2001, forrest whitcher wrote:

> Several questions directed to the SE Linux principles
>
> Stephen, in your talk this spring at Usenix you noted that
> you had a server running SE Linux in production for a period
> of months.
>
> Can you advise what SE Linux version(s) are so used and what is
> the operational environment (Internet-exposed? services running
> in secured contexts?)

Hmm...Either I misspoke or you misunderstood me. It is true that I have run SELinux on my desktop and development machines for quite some time (starting with the 2.2 SELinux kernel patch and upgrading to the 2.4 SELinux kernel patch and the 2.4 LSM-based SELinux module). But I haven't run it on production servers.

> I expect that since the stable 2.2.19 kernel-patched version,
> through the 2.4 kernel-patched and into the currently recommended
> LSM-based version that you have added features and killed bugs.

Right. And we haven't back ported improvements or bug fixes to the older versions of SELinux, so I can't recommend them currently. As far as I know, no one has asked us to maintain the 2.2-based prototype.

> The NSA download site recommends that people use the most recent
> (LSM) code, which makes sense in development, as I doubt that
> the new versions maintain backward-compatibilty.
>
> Is this also the best (general) recommendation for trying to deliver
> an operational, secured system.

I don't think we have any particular recommendations for an operational, secured system. The SELinux functionality is useful, but it isn't a product, and it uses the latest kernel versions, which aren't always so stable.

> Within the caveat that I don't think NSA can (or should) take
> repsponsibility recommend SE Linux as a production system, are
> there any differences between the 3 major extant versions
> (2.2.19, 2.4, LSM) as regards deploying operational servers?

I've heard that the 2.2 Linux kernel is still preferred for stability, but hopefully 2.4 will become just as stable soon. As far as SELinux goes, I don't see any reason to use the old 2.4.3 SELinux kernel patch. Conceivably, you could back port bug fixes and improvements made to the new software components of SELinux (the security server, access vector cache, and persistent label mapping) to the 2.2.19 SELinux prototype. Or you can wait for 2.4 to stabilize and use the LSM-based prototype.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com



--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Received on Tue 9 Oct 2001 - 11:08:49 EDT

This message: [ Message body ]
Next message: Stephen Smalley: "Re: Additions to file_contexts"
Previous message: Justin R. Smith: "ssh, ad nauseum"
In reply to: forrest whitcher: "SE-Linux versions, features, stability?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:26 EDT