Linux News Today features the latest news from the global Linux community. This site is updated daily. Click here to return to our homepage. Get the lowest cost and the best tech support on any Linux web hosting plan. Click here for details.
                                          home   |   news archives   |   linux forum   |   advertise on our site   |   contact












Promote your company. Reach over 450,000 Linux software developers, Linux users, Web hosting companies, etc. Boost your sales and promote your brand. Read more, click here.


Do it right this time. Click here and we will take good care of you!


Get all the details by clicking here!


Plans begin at $24.95 a month. Get more details, click here.


Click here to order our special clearance dedicated servers.


Promote your company. Reach over 450,000 Linux software developers, Linux users, Web hosting companies, etc. Boost your sales and promote your brand. Read more, click here.







Click here to order our special clearance dedicated servers.





Install your server in Sun Hosting's modern colocation center in Montreal. Get all the details by clicking here.

Is NSA's SE Linux ready for a major update to improve its security?

Share on Twitter.

Get the most dependable SMTP service for your business. You wished you got it sooner!

July 24, 2013

With all the recent revelations that the NSA is spying on just about everything we can think of, maybe it's time for the Linux community to make a very serious and detailed analyzis at the NSA-developed Security Enhanced Linux, in an effort to help improve and expand its security.

Security Enhanced Linux (SEL) was originally developed and integrated by the U.S. National Security Agency and it comprises a kernel patch to add extra security features, and other patches to specific applications to help determine the security domain in which to run various Linux processes.

But now there's a new debate about SE Linux.

The original code is still under the GPLv2, the same licence as the kernel. Numerous individuals and companies have made contributions to the project. The initiative is still ongoing and documented to a certain degree.

But recently, Cyanogenmod, one of the more popular forks of the Android mobile operating systems, announced it would be incorporating SE Linux as part of its security features for mobile devices. That got the attention of some observers in the Linux community.

Asked whether a code audit was needed now, Russell Coker, a Melbourne-based open source developer for the Debian GNU/Linux project, and who is also listed as a contributor to SE Linux, says-- "The SE Linux source is free for anyone to review. It's probably better reviewed than most kernel code because someone who finds a bug or a security issue would get more fame for doing so than for finding bugs in most kernel code."

Coker's view on the topic is shared by many in the Linux community. After all, and for the past few years, he has ported and packaged SE Linux for Debian and he added-- "It doesn't seem plausible that there would be anything inappropriate in security patches publicly submitted by the NSA."

"Given that anyone and anywhere in the world can submit a patch, I don't think that we need to worry about patches coming from .gov email addresses," he added.

Brian May, another Debian developer who is based in Melbourne, is credited with backporting Russell's work to Woody, a Debian release made in July 2002.

May, an open-source consultant, says that he was no longer the maintainer for SE Linux for the stable release of Debian, but that he still has an interest in overseeing the project, and in making sure that the project is ongoing.

"But unfortunately, that's not the case," he said, when the question of him being the maintainer arose. "I looked into SE Linux some years ago, but ran out of time to really get into it. But I am a Debian developer, however."

But May was still confident about the integrity of the code, nevertheless. "SE Linux is entirely open source software, that has been reviewed by many, many people," he added. "It has been merged into the mainline Linux kernel since version 2.6.0-test 3, released on August 8, 2003. That's ten years ago."

"And overall, Linux always has a reputation of being very conservative for allowing new features, especially when it concerns security, and this means that everything would have been reviewed even more times by more people while pushing to have it accepted in the kernel release. If there were any concerns it would have been rejected," May was quick to point out.

"I am sure there would be a number of people very keen on finding backdoors in SE Linux for the sole purpose of discrediting NSA. But so far, I haven't seen any reports of anyone finding anything-- ever. I can only conclude that this is because there are no hidden backdoors," May added.

"But on the other hand, PRISM, if the allegations are found to be true in the next few months, was completely designed around complete secrecy on the part of the NSA. But SE Linux has been a very open and transparent project for many years, so the parallel we are seeing today in comparing PRISM and SE Linux is unfounded and unfair in my view," May said.

In other Linux news

Linus Torvalds says he has released the first candidate for the new Linux 3.11 kernel late yesterday.

It's initially a new version that didn't come without some choice words from the Linux creator. In a direct response to a GIT request on the x86 update for the new 3.11 kernel, Torvalds wrote: "What the f***, guys? This piece-of-s*** commit is marked for stable release, but you clearly never even test-compiled it, did you?"

Overall, the Linux 3.11 rc1 release milestone comes two weeks after the Linux 3.10 release.

"This merge window was smaller in terms of the number of commits than the 3.10 merge window, but we actually have more new lines," Torvalds wrote in his Linux 3.11 rc1 announcement.

"And most of that seems to be in staging. A full thirty-two percent of all changes by line-count is staging, and merging in Lustre is the bulk of that," he added.

Lustre is a high performance computing (HPC) filesytem initiative that has a number of different masters in recent years. It was first backed by Cluster File Systems which was acquired by Sun Microsystems in 2007.

Sun then became part of Oracle in 2010. Oracle never really pushed Lustre forward, instead others in the open source community, including Whamcloud, stepped up to the plate.

And then Whamcloud itself was acquired a year ago by Intel in July of 2012, so there's been quite a bit of moving around in that department.

In February of this year, Xyratex Ltd acquired the name 'Lustre' and its associated intellectual property assets from Oracle.

Lustre isn't the only filesystem in Linux 3.11. Both Ext4 and XFS receive notable improvements in the first release of 3.11.

Linux kernel developer Ted Ts'o noted in an lkml message that there are lots of bug fixes, cleanups and optimizations for the ext4 file system in Lustre.

In other Linux news

SUSE Linux said earlier this morning that it has upgraded its Enterprise Server 11 variant of Linux with its Service Pack 3, adding more features to the suite, and better security.

Among them, the SP3 update also brings support for new and emerging hardware to the operating system, and that should make some system admins happy.

The news were largely expected in the Linux community.

SUSE is the open source operating system arm of the Attachmate conglomerate owned by the private equity trio of Francisco Partners, Golden Gate Capital, and Thomas Bravo. SUSE already moved to the Linux 3.0 kernel with SLES 11 SP2 in February of last year.

Matthias Eckermann, senior product manager for SUSE Linux Enterprise says that the company has rolled up all the recent patches and security updates to the Linux kernel and back-ported them to the 3.0 kernel already certified in SLES 11 SP2.

That specific kernel design had support for up to 4,096 virtual processors, and now with the SP3 update, the operating system can address up to 16 TB of physical memory on a single kernel.

"As far as I know it, no one has ever tested a server that large," says Eckermann. "It will get interesting when you go beyond 64 TB for a data warehouse because you cannot always partition a database. So it's good to have a very large memory segment in my opinion."

The Itanium and PowerPC/Power kernels can scale up to 1 PB of main memory, theoretically, while IBM's System z mainframes top out at 4 TB and 64-bit x86 processors peak at 64 TB.

The tested and certified limit on an Itanium machine is 8 TB, on a mainframe is 256 GB, and on x86 machines it's now 16 TB. With the SP3 update, the PowerPC/Power kernel has been tested up to 16 TB as well,as you can see in the release notes.

The SP3 update supports IBM's latest eight-core Power7+ processors, which rolled out last fall in some machines and this spring in others, and according to Eckermann has been updated so that the kernel can boot on IBM's future Power8 chips, which are expected sometime next year.

Future UV shared memory systems from Silicon Graphics are also enabled with SP3, and although the release notes are not specific, that has to mean a variant of the UV 2 system using Intel's "Ivy Bridge" Xeon E5 chips expected in the third quarter, probably around September if the rumors are right.

The kernel supports other Ivy Bridge machines including future "Ivy Bridge-EX" Xeon E7 processors. Intel's current "Haswell" Core chips for PCs and Xeon E3 chips for servers and workstations are also enabled with SP3, as is the Opteron 4300 and 6300 processors from AMD.

On the server virtualization front, the latest KVM 1.4 and Xen 4.2 hypervisors have been pulled into SLES 11 SP3, and the virtual CPU and virtual memory limits of their virtual machines have been consequently expanded from the SP2 release.

KVM now supports up to 160 virtual CPUs and 2 TB of virtual memory per guest partition, with up to eight virtual network interfaces. There is no limit on the number of guests, but the total virtual CPUs across guest partitions cannot exceed a number that is equal to eight times the number of cores in the physical machine.

On a two-socket Xeon E5 server with 32 threads, that is 256 virtual CPUs max. The Xen hypervisor, still in use by plenty of SUSE Linux developers, can span 255 processors or threads, whichever is the larger number in the system and span 2 TB of physical memory.

A virtual machine running atop Xen can access 32 virtual CPUs and 512GB of virtual memory. Both the KVM and Xen hypervisors have been tweaked to support a whole slew of new instructions in the Haswell family of chips, such as fused multiply add, 256-bit integer vectors, and MOVBE support, which will apparently help the performance of both hypervisors.

Microsoft and SUSE Linux have worked to bring the memory-ballooning support for virtualized memory to SLES 11 SP3 when it runs atop Microsoft's Hyper-V hypervisor.

Hyper-V also now supports host-initiated guest backups using the Windows VSS framework, and the Hyper-V Vmbus protocol that is a virtual link between the hypervisor and guest has been brought up to the Windows Server 2012/Windows 8 level.

This is a more efficient implementation of that interconnect protocol, SUSE Linux says. Linux containers, the virtual private server alternative to hypervisor virtualization, has been updated with the latest patches, as well.

LXC, like Solaris containers on Sparc and x86, Parallels on x86 iron, and workload partitions on AIX, have a shared kernel and file system underneath a list of operating system runtime sandboxes that are logically separated from each other.

With SP3, SUSE Linux is adding the Oracle Cluster File System 2 (OCFS 2) file system to the stack of supported file systems, which includes ext3, ReiserFS 3.6, XFS, and Btrfs.

Eckermann says that customers are using XFS and ReiserFS in production address more than 8 TB in one file system. XFS, which has been in SLES for nearly eleven years now, is the preferred file system for those with heavy loads and parallel read and write operations, such as serving up Samba or NFS.

Get a great deal on a fully dedicated Linux or Windows server. Order here.

The ext4 file system is fully supported in SP3, but only as a read-only file system, and the company would much prefer that you use Btrfs.

Btrfs, which first appeared in production-grade with SLES 11 SP2 a little more than a year ago has been patched with the latest updates.

"Many people are still looking at it, but not many people are placing it into production, at least not for now, anyway. But this is typical of new kernels," says Eckermann.

And there are no major technology previews in SLES 11 SP3, but there are a few smaller ones. The KVM hypervisor is being shown in the early stages running on IBM mainframes.

Nested virtualization support, which was already available for AMD's Opteron processors, is now in preview for Intel Xeon chips that sport the VT virtualization extensions.

SUSE Linux is also rolling out the libguestfs tool, which is used to access and modify virtual machine disk images. Hot-add memory for Xeon, Itanium, and Power machines is still in tech preview, too.

All in all, there are 70 driver updates with SP3 in addition to the tweaking of the kernel to support the new processors and related chipsets, says Eckermann. These includes a slew of 8 Gb/sec and 16 Gb/sec Fibre Channel storage adapters, 10 Gb/sec and 40 Gb/sec Ethernet adapters, and the Open Fabrics Enterprise Distribution (OFED) 1.5.4 open source driver set for InfiniBand and Ethernet adapters to bring Remote Direct Memory Access (RDMA) support to those adapters.

RDMA reduces latency by allowing network cards to access the main memory of other servers on the network without going through the network stack in the operating system.

In other Linux OS news

Fedora 19, codenamed Schrodinger's Cat, follows the much-delayed Fedora 18 and the good news is things looks to be back on track for the Fedora team.

Not only is the release just a week away but it also sees Fedora returning to its core focus-- building useful software for developers and the Linux community.

The Ubuntu Linux distribution is busy tricking out its new touch-based interfaces and getting ready for the first Ubuntu-based phones and tablets to arrive. However, the project still hasn't had any precious time to offer the still-dominant desktop and laptop users of late, particularly Linux developers.

But not so with Fedora-- it never is, really. Yes, the GNOME project is pursuing its own tablet and mobile dreams - though thus far no one seems interested, well at least for now, but underneath the GNOME trappings, Fedora does have a couple of great new pieces of software designed to make developers' lives easier.

But perhaps the most intriguing of these is the new "Developer's Assistant", which aims to make setting up your development environment a bit simpler.

The concept behind Developer's Assistant is to make it easy for new Linux developers, as well as seasoned developers new to Fedora, to get up and running with all the dev tools they need quickly.

You'll need to install Developer's Assistant yourself from the Fedora repos and unfortunately there's not much in the way of documentation at the moment.

We would suggest reading through the devassistant main page to get an idea of how it works. Once you've got your head wrapped around the syntax, you can create entire working environments with a single line in the shell.

There are setups available for pretty much every language and most major projects within languages for example, Django for Python devs and Rails for Ruby developers.

There are even some setups for Vim, Eclipse and Git. To use the latter, you'll need to have a GitHub account, but provided you've got your GitHub login info handy, Developer's Assistant makes sharing your code on the web dead simple.

Using the Developer's Assistant is just a matter of invoking the devassistant tool. For example, devassistant python django -n ~/newproject will give you a fully loaded, working Django project with what devassistant's developers call "sane defaults".

But of course, those defaults may not exactly match the way you're used to working, however. Developer's Assistant can't be all things to all developers, so it tends to stick close to the best practices for each project and language.

To stick with the Django example, what you get from Developer's Assistant is very close to how the Django documentation suggests setting up your projects.

Chances are that seasoned developers have workflows and environments that are idiosyncratic enough that a tool like devassistant won't produce ideal results, but for new developers looking to set up a workable environment quickly, devassistant is a nice tool.

The other big developer news in Fedora 19 is OpenShift Origin, a new set of tools to build your own Platform-as-a-Service like Red Hat's OpenShift.

OpenShift is a hosted service designed to allow developers to quickly build and run cloud-based applications without worrying about server management or virtualisation details. Think of OpenShift as RedHat's answer to Microsoft's Azure or a more closely managed version of Amazon's web services.

Source: Cyanogenmod.

Get the most reliable SMTP service for your business. You wished you got it sooner!

Share on Twitter.

All logos, trade marks or service marks on this website are the property of their respective companies or owners.

Article featured on Tech Blog and on Business 5.0

Get a best price and the most dependable server colocation reliability from the experts at Sun Hosting. Learn more. This article was featured on Tech Blog and Business 5.0.












ADVERTISERS:
Linux News Today.org is read by over 450,000 people involved in the field of Linux application development, professional Web hosting services, Linux security, Linux Web development, etc. Inquire about our reasonable advertising rates on our news website. One of our advertising representatives will be in touch with you. Simply email us to learn about our ad rates and how we can help drive relevant traffic to your website. Advertising space is limited.





  Site powered by Linux Hosting      Sponsored by DMZ eMail and by Sun Hosting.      Linux news while they are still fresh.    LinuxNewsToday.org.   Linux is a registered trademark of Linus Torvalds.