A seatbelt for server software: SELinux blocks real-world exploits

Linux security experts are reporting a growing list of real-world security situations in which the US National Security Agency's SELinux security framework contains the damage resulting from a flaw in other software. These so-called "mitigations" are showing that a Linux feature that began as an esoteric security measure is starting to prove its worth.

The US National Security Agency first published SELinux in 2000, and Linus Torvalds accepted it into the mainstream kernel in 2002, but for much of the time since then it has been largely of academic interest. Many Linux administrators first saw SELinux in the form of a long article or tutorial that started with a whole new glossary of security terminology. And if you put SELinux on a real system, and the error messages for a failed configuration were confusing.

But the announcements of several recent security holes tell a new story: SELinux, if turned on, can prevent an attacker from using an exploit to its full destructive potential. For example, one vulnerability in the Hewlett-Packard Linux Imaging and Printing Project's software would have allowed an attacker to run arbitrary commands as root. However, according to the company's security advisory on the bug, "On Red Hat Enterprise Linux (RHEL) 5, the SELinux targeted policy for hpssd which is enabled by default, blocks the ability to exploit this issue to run arbitrary code."

Dan Walsh, an SELinux developer at Red Hat, covered another, higher profile mitigation on his blog. Samba, the software that acts as a file server for Microsoft Windows systems, had a vulnerability that would have allowed an attacker to run commands as root. However, "while the exploit might be able to take advantage of a buffer overflow, when the attacker tries to execute the code, SELinux would stop it," he wrote.

SELinux gets tools, software integration

"SELinux took a bit of a black eye by hitting it big a bit earlier than it should have," said Chad Sellers, Lead Software Architect for Tresys Technology, LLC, in an email interview. He adds, "SELinux systems have become much easier to use while at the same time protecting more and more things. The tools are much improved now so that if there's a problem, it's usually fairly easy to fix."

Tresys maintains a list of "mitigation news" on its SELinux page. Software with security bugs that SELinux mitigated includes the Apache web server, the Mambo content management system, the Sendmail MTA, and a commonly-installed PHP module, in addition to the HP and Samba bugs.

Users are seeing an increasing number of mitigations today because SELinux is now integrated with more of the software on the system, Sellers says. "RHEL4 targeted about 11 services by default, while RHEL5 targets an order of magnitude more with the default targeted policy," he says.

"The policies are protecting more and more, making it the security feature that administrators really shouldn't live without. So my advice to administrators is to try it out. If they hit a problem, don't turn it off. We have an active user community that can probably resolve the problem in an email or two," Sellers says.