What's New Fedora Core 6 (Part 1): Hardened but not Hard to Swallow

by Chris Tyler

Fedora Core 6 was released today! Congratulations to all of the Fedora and upstream developers. The step to Core 6 is smaller than the step to Core 5 last spring, and the distinguishing qualities of this release are generally those of refinement and polish.

Fedora Core is one of the few Linux distributions that is hardened out-of-the-box: SELinux uses the Linux Security Module (LSM) interface to enforce system-wide policy that restricts the actions of individual processes. For the past few releases, Fedora Core has shipped with a targeted policy that is designed to protect the services and processes most likely to be attacked while leaving the rest of the system relatively unhampered. Fedora Core 6 refines and extends the targeted policy to provide better protection and less interference with untargeted applications. An improved range of policy option switches (booleans) permit the policy to be adjusted without rewriting.

SELinux works well, but since applications are not aware that SELinux is restricting them, error messages can be a bit bewildering. For example, Apache may record in its error log that a particular file does not exist, when it plainly does exist and has the correct permissions; what is happening is that SELinux is blocking Apache's access to the file. The SELinux activity is recorded in the form of access vector cache (AVC) denial entries in the system log, but these can be time-consuming to interpret.

FC6 includes the first version of a diagnostic tool, setroubleshoot, which watches for AVC denials, notifies the desktop user of their occurrence, and optionally translates the messages into plain language with recommendations for conflict resolution. This is a fantastic tool that will go a long way toward relieving the frustration of administrators and users who are unfamiliar with SELinux (and ultimately, reduce the temptation to turn SELinux off altogether).