SELinux and Security in the Context of Cloud Servers

SELinux Was Developed By United States National Security Agency (NSA). SELinux and Security in the Context of Cloud Servers Can Be Questionable. SELinux stands for Security-Enhanced Linux, it is a Linux kernel security module and often used on OpenStack for the clients. OpenStack community has no support from the for SELinux part. It can be a good and practical question to ask the possibility of Spyware functions in SELinux. This article is not sufficient to evidence. The information is via Third Parties and we are not exactly what is a Linux Distro developer, Linux Kernel is not exactly any Linux Distro. Ubuntu Desktop can have kind of Spyware, it is quite known. We have no idea about Ubuntu Server Version. Here is the difference between a Server OS and a Desktop OS.

SELinux and Security in the Context of Cloud Servers : Basics About Security-Enhanced Linux

SELinux is an extension of the Linux kernel, which represents the first attempt to impliment the Flux Advanced Security Kernel (FLASK) concept of the US secret service NSA. It implements the access control to resources within the boundary of Mandatory Access Control. SELinux is governed by the NSA and the Linux distributor Red Hat. Companies such as Network Associates, Secure Computing Corporation and Tresys are or were also involved in the work on SELinux.

SELinux is open source software and consists of a kernel patch and numerous extensions for system programs together. For setting the rules, there is a so-called policy which is currently published by Tresys. Most distributions offer special SELinux policy packages for their programs that extend the policy to the application. For 2.4.x there is a patch for kernel 2.6.x SELinux. The Linux distribution Fedora (by a Red Hat sponsored project) was the first distribution to mitliefert SELinux support. Fedora Core 3 and Red Hat Enterprise Linux 4 were delivered as the first distributions with full SELinux support. Meanwhile, it is also an integral part of CentOS, Hardened Gentoo and openSUSE. Ubuntu and Debian installed this subsequently. With the introduction of Android 4.3 also officially based on the Linux kernel, SELinux has been expanded.

Command-line utilities include : chcon, restorecon, restorecond, runcon, secon, fix files, setfiles, load policy, booleans, getsebool, setsebool, togglesebool, set enforce, load policy, setfiles, semodule, postfix-nochroot, check-selinux-installation, semodulepackage, check module, selinux-config-enforcing, selinuxenabled, selinux-policy-upgrade, security set boolean.

SELinux and Security in the Context of Cloud Servers

SELinux is often criticized for being too complex to be managed by normal users. Spying on people and organizations is the core business of the NSA. Until one can find the backdoor itself, the concern towards SELinux itself as Security Backdoor remains unanswerable. It is a matter of many parameters. There are also stuffs like hardware PRNG and PRNG, which has doubts.

Expecting backdoors is a bit strong. Linux is used by a lot of users. NSA will, as much as possible, definitely protect their own competitors! Putting a backdoor in Linux implies the risk of allowing to spy through this backdoor.

SELinux can potentially control which activities a system allows each user, process and daemon, with very precise specifications. Ordinary user-processes often run in the unconfined domain, not controlled by SELinux but still restricted by the classic Linux access rights.

Linux is tested by competent programmers. SELinux is right in the middle of all this inspection. There are PhD theses on SELinux, so it is not easy to assume anything so fast. Any patch committed into the Linux kernel is followed through revision control. SELinux comes from the NSA and is tagged as such. If a backdoor was inserted and then subsequently discovered, it would be easy to track it back. Not to forget, the person who maintains the Linux Kernel has some philosophical difference with Richard M. Stallman.

Richard M. Stallman is never known to be a lover of Cloud Computing, because basically except the IaaS and to some extent PaaS, SaaS are web apps. The possibility of spyware activity increases with increasing complexity of a setup. NSA is not the only place on earth where good C/C++ programmers work but it also true that, ShellShock, HeartBleed happened !