Multitudes of bug fixes and feedback on Red Hat Inc.'s inclusion of Security-Enhanced (SE) Linux in the Fedora Project have been submitted from the Linux community since the test2 beta was released in late March. Suffice it to say that the returns have been far more beneficial to Red Hat than any controlled beta release could hope for.
Red Hat put SE Linux in Fedora, its openly developed and constantly changing version of Linux, in preparation for inclusion in the distributor's flagship server OS Red Hat Enterprise Linux 4.0 due in early 2005. SE Linux, developed by the National Security Agency, is an implementation of mandatory access control (MAC) in the Linux kernel that splits root functionality into roles.
Red Hat said Friday it would incorporate the bug fixes and feedback into RHEL in order to correctly configure its policies.
RHEL 4.0 will be the first Linux distribution to include SE Linux, and that along with several impending Common Criteria certifications should open many doors in the enterprise and government for Red Hat.
"Achieving certification is important because it now enables Linux to penetrate markets where it was not able to penetrate before," said Paul Cormier, Red Hat executive vice president of engineering. "Linux has been used in the government for some time, but it can't get official contracts because it's not certified [Common Criteria]."
Red Hat's inclusion of SE Linux as part and parcel of the operating system and not as an added feature is just part of the Raleigh, N.C., company's security road map for 2004. RHEL 3.0 is currently Common Criteria EAL 2 certified. It is currently working on EAL 3 and expects EAL 4 by the time RHEL 4.0 is released next year.
Common Criteria is a set of criteria by which the security of a mission-critical software product is evaluated. Certification is a seal of approval that is recognized by government agencies and enterprise IT professionals. Countries that recognize the Common Criteria include the United States, Canada, the United Kingdom, Australia, New Zealand, Germany, France and Japan. SuSE Linux Enterprise Server 8 became the first enterprise Linux to reach EAL3 in January.
Cormier said enterprises are likely to look for EAL3 certification, while governments are more likely to look for EAL4. EAL2 evaluates security engineering testing processes. EAL3 evaluates a combination of processes and technology with a heavy focus on auditing capabilities. EAL4 delves deeper into security technology, like for example, evaluating the ability to partition one user from another and strict policy enforcement.
Fedora, meanwhile, has served as a staging area for SE Linux for the last two months. Right now its engineers are tuning SE Linux to make it amenable to users.
"Had it not been for Fedora, we probably would be a lot further back with SE Linux than we are now," Cormier said.
Cormier said Red Hat will likely ship RHEL 4.0 with SE Linux turned off.
"The approach security people take is shut everything off and turn things on as you need them," Cormier said. "The default should be high security, but what that means is a lot of applications will break and you will have people shouting for us to turn this off."
Instead, Cormier said Red Hat is likely to tailor SE Linux based on the majority of feedback it gets from users.
"You can get it super secure, or secure just one daemon like HTTP or Sendmail," Cormier said. "You're going to be able to turn on various policies for different pieces of the OS."
FEEDBACK: How important is the inclusion of Security-Enhanced Linux to Red Hat Enterprise Linux to your company?
Send your feedback to the SearchEnterpriseLinux.com news team.