Nothing makes you think twice about trying out a distro when you hear the words ‘notoriously hard-to-configure set of kernel hooks‘. Just what every Linux newbie needs to hear!! These guys must be nuts. I mean, I realize there is a reason for everything here, but still it does make me think twice!

SElinux is an impressively designed but notoriously hard-to-configure set of kernel hooks that enforce Orange Book-style security on Linux. Full support for SELinux takes effort, but when I first heard about Fedora’s new targeted policies for SELinux, I was willing to tell the Red Hat folks “thanks, but no thanks.” A conversation with their Dan Walsh changed my mind.

The orginal SELinux approach was that anything not expressly permitted was forbidden. Technically, this meant that every program anybody would ever run had to be configured with a policy that indicated what files it could touch, who could run it, and every other aspect of the program that might present a risk. Practically, this meant that you’d start your system and find that some obscure daemon wasn’t running–and the only diagnostic aid you had was a few lines listing process IDs and inodes. It didn’t help that all the resources (files and so forth) had to be tagged accurately, along with programs and users.

(This is the point where I feel it justified to mention that O’Reilly has a book about basic SELinux use.)

Fedora users were getting frustrated and turning SELinux off, so Red Hat figured they had to take a new tack before making SELinux the default in Red Hat Enterprise Linux (which they did last week, announcing RHEL 4 at LinuxWorld).

The concept of targeted policies is a compromise. Certain well-known targets such as Apache get the full SELinux treatment. Other services and programs are left with the old Unix security. Over time, more and more programs will move into the targeted area.