Security-Enhanced Linux ( SELinux ) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC).
110-573: SELinux is a set of kernel modifications and user-space tools that have been added to various Linux distributions . Its architecture strives to separate enforcement of security decisions from the security policy, and streamlines the amount of software involved with security policy enforcement. The key concepts underlying SELinux can be traced to several earlier projects by the United States National Security Agency (NSA). The NSA Security-enhanced Linux Team describes NSA SELinux as
220-527: A Wayland compositor such as Sway , KDE 's KWin , or GNOME 's Mutter ), a desktop environment (most commonly GNOME , KDE Plasma , or Xfce ), a sound server (usually either PulseAudio or more recently PipeWire ), and other related programs may be included or installed by the user. Typically, most of the included software is free and open-source software – made available both as binary for convenience and as source code to allow for modifying it. A distro may also include proprietary software that
330-498: A monolithic kernel, with a modular design. Different parts of the kernel, such as drivers, are designed as modules. The user can load and unload these modules at any time. ULE is the default scheduler in FreeBSD since version 7.1, it supports SMP and SMT . The FreeBSD kernel has also a scalable event notification interface, named kqueue . It has been ported to other BSD-derivatives such as OpenBSD and NetBSD . Kernel threading
440-589: A "technology preview". SELinux is popular in systems based on linux containers , such as CoreOS Container Linux and rkt. It is useful as an additional security control to help further enforce isolation between deployed containers and their host. SELinux is available since 2005 as part of Red Hat Enterprise Linux (RHEL) version 4 and all future releases. This presence is also reflected in corresponding versions of derived systems such as CentOS , Scientific Linux , AlmaLinux and Rocky Linux . The supported policy in RHEL4
550-439: A CD with only a small amount of data on it. New users tend to begin by partitioning a hard drive in order to keep their previously installed operating system. The Linux distribution can then be installed on its own separate partition without affecting previously saved data. In a Live CD setup, the computer boots the entire operating system from CD without first installing it on the computer's hard disk. Many distributions have
660-520: A Live CD installer , where the computer boots the operating system from the disk, and it can then be installed on the computer's hard disk, providing a seamless transition from the OS running from the CD to the OS running from the hard disk. Both servers and personal computers that come with Linux already installed are available from vendors including Hewlett-Packard , Dell and System76 . On embedded devices, Linux
770-483: A confined daemon that becomes compromised. Command-line utilities include: chcon , restorecon , restorecond , runcon , secon , fixfiles , setfiles , load_policy , booleans , getsebool , setsebool , togglesebool setenforce , semodule , postfix-nochroot , check-selinux-installation , semodule_package , checkmodule , selinux-config-enforcing , selinuxenabled , and selinux-policy-upgrade To put SELinux into enforcing mode: To query
880-524: A conscious effort to use a different operating system, and they must either perform the actual installation themselves, or depend on support from a friend, relative, or computer professional. TrustedBSD FreeBSD is a free and open-source Unix-like operating system descended from the Berkeley Software Distribution (BSD) which currently runs on IA-32 , x86-64 , ARM , PowerPC and RISC-V based computers. The first version
990-512: A distribution, an administrator may create a "distributionless" installation. It is possible to build such systems from scratch, avoiding distributions altogether. One needs a way to generate the first binaries until the system is self-hosting . This can be done via compilation on another system capable of building binaries for the intended target (possibly by cross-compilation ). For example, see Linux From Scratch . In broad terms, Linux distributions may be: The diversity of Linux distributions
1100-461: A hybrid of concepts and capabilities drawn from mandatory access controls, mandatory integrity controls , role-based access control (RBAC), and type enforcement architecture . Third-party tools enable one to build a variety of security policies. The earliest work directed toward standardizing an approach providing mandatory and discretionary access controls (MAC and DAC) within a UNIX (more precisely, POSIX) computing environment can be attributed to
1210-430: A lawsuit against BSDi and alleged distribution of AT&T source code in violation of license agreements. The lawsuit was settled out of court and the exact terms were not all disclosed. The only one that became public was that BSDi would migrate its source base to the newer 4.4BSD-Lite2 sources. Although not involved in the litigation, it was suggested to FreeBSD that it should also move to 4.4BSD-Lite2. FreeBSD 2.0, which
SECTION 10
#17329022015451320-492: A modern graphics stack is available via drm-kmod. A large number of wireless adapters are supported. FreeBSD releases installation images for supported platforms. Since FreeBSD 13 the focus has been on x86-64 and aarch64 platforms which have Tier 1 support. IA-32 is a Tier 1 platform in FreeBSD 12 but is a Tier 2 platform in FreeBSD 13. 32 bit ARM processors using armv6 or armv7 also have Tier 2 support. 64 bit versions of PowerPC and RISC-V are also supported. Interest in
1430-482: A more expressive set of policy choices, AppArmor was designed to be simple by extending the same administrative semantics used for DAC up to the mandatory access control level. There are several key differences: Isolation of processes can also be accomplished by mechanisms such as virtualization ; the OLPC project, for example, in its first implementation sandboxed individual applications in lightweight Vservers . Also,
1540-637: A new SLS-based distribution, Slackware , was released by Patrick Volkerding . Also dissatisfied with SLS, Ian Murdock set to create a free distribution by founding Debian in August 1993, with first public BETA released in January 1994 and first stable version in June 1996. Users were attracted to Linux distributions as alternatives to the DOS and Microsoft Windows operating systems on IBM PC compatible computers, Mac OS on
1650-477: A new installer which was introduced in FreeBSD 9.0. bsdinstall is "a lightweight replacement for sysinstall" that was written in sh. According to OSNews , "It has lost some features while gaining others, but it is a much more flexible design, and will ultimately be significant improvement". Prior to 14.0, the default login shell was tcsh for root and the Almquist shell (sh) for regular users. Starting with 14.0,
1760-455: A number of Microsoft Windows native NDIS kernel interfaces to allow FreeBSD to run (otherwise) Windows-only network drivers. The Wine compatibility layer, which allows the running of many Windows applications, especially games, without a (licensed) copy of Microsoft Windows , is available for FreeBSD. FreeBSD's kernel provides support for some essential tasks such as managing processes, communication, booting and filesystems. FreeBSD has
1870-464: A package are present (and either notify the user to install them, or install them automatically). The package can also be provided as source code to be compiled on the system. Most distributions install packages, including the kernel and other core operating system components, in a predetermined configuration. A few now require or permit configuration adjustments at first install time. This makes installation less daunting, particularly for new users, but
1980-404: A proprietary operating system or by translating proprietary API calls (e.g., calls to Microsoft's Win32 or DirectX APIs) into native Linux API calls. A virtual machine can also be used to run a proprietary OS (like Microsoft Windows) on top of Linux. Computer hardware is usually sold with an operating system other than Linux already installed by the original equipment manufacturer (OEM). In
2090-456: A proprietary product. However, the FreeBSD project is still developing and improving its ZFS implementation via the OpenZFS project. The currently supported version of OpenZFS is 2.2.2 which contains an important fix for a data corruption bug. This version is compatible with releases starting from 12.2-RELEASE. FreeBSD ships with three different firewall packages: IPFW , pf and IPFilter . IPFW
2200-573: A regular desktop or a laptop. The X Window System is not installed by default, but is available in the FreeBSD ports collection . Wayland is also available for FreeBSD (unofficially supported). A number of desktop environments such as Lumina , GNOME , KDE , and Xfce , as well as lightweight window managers such as Openbox , Fluxbox , dwm , and bspwm, are also available for FreeBSD. Major web browsers such as Firefox and Chromium are available unofficially on FreeBSD. As of FreeBSD 12, support for
2310-432: A security mechanism and an implementation of operating-system-level virtualization that enables the user to run multiple instances of a guest operating system on top of a FreeBSD host. It is an enhanced version of the traditional chroot mechanism. A process that runs within such a jail is unable to access the resources outside of it. Every jail has its own hostname and IP address . It is possible to run multiple jails at
SECTION 20
#17329022015452420-458: A set of patches to the Linux kernel and utilities to provide a strong, flexible, mandatory access control (MAC) architecture into the major subsystems of the kernel. It provides an enhanced mechanism to enforce the separation of information based on confidentiality and integrity requirements, which allows threats of tampering, and bypassing of application security mechanisms, to be addressed and enables
2530-462: A specific instruction set , while some (such as Gentoo ) are distributed mostly in source code form and must be built before installation. Linus Torvalds developed the Linux kernel and distributed its first version, 0.01, in 1991. Linux was initially distributed as source code only, and later as a pair of downloadable floppy disk images: one bootable and containing the Linux kernel itself, and
2640-713: A specific application or service. Examples of packages are a library for handling the PNG image format, a collection of fonts, and a web browser . The package is typically provided as compiled code, with installation and removal of packages handled by a package management system (PMS) rather than a simple file archiver . Each package intended for such a PMS contains meta-information such as its description, version number, and its dependencies (other packages it requires to run). The package management system evaluates this meta-information to allow package searches, perform automatic upgrades to newer versions, and to check that all dependencies of
2750-416: A third party repository. In 2020, a new project was introduced to automatically collect information about tested hardware configurations. FreeBSD has a software repository of over 30,000 applications that are developed by third parties. Examples include windowing systems , web browsers , email clients , office suites and so forth. In general, the project itself does not develop this software, only
2860-408: A three string context consisting of a username, role, and domain (or type). This system is more flexible than normally required: as a rule, most of the real users share the same SELinux username, and all access control is managed through the third tag, the domain. The circumstances under which a process is allowed into a certain domain must be configured in the policies. The command runcon allows for
2970-527: A variety of articles, mainly maintained by The FreeBSD Documentation Project. FreeBSD's documentation is translated into several languages. All official documentation is released under the FreeBSD Documentation License , "a permissive non-copyleft free documentation license that is compatible with the GNU FDL". FreeBSD's documentation is described as "high-quality". The FreeBSD project maintains
3080-522: A variety of mailing lists. Among the most popular mailing lists are FreeBSD-questions (general questions) and FreeBSD-hackers (a place for asking more technical questions). Since 2004, the New York City BSD Users Group database provides dmesg information from a collection of computers ( laptops , workstations , single-board computers , embedded systems , virtual machines , etc.) running FreeBSD. From version 2.0 to 8.4, FreeBSD used
3190-563: Is FreeBSD's native firewall. pf was taken from OpenBSD and IPFilter was ported to FreeBSD by Darren Reed. Taken from OpenBSD, the OpenSSH program was included in the default install. OpenSSH is a free implementation of the SSH protocol and is a replacement for telnet . Unlike telnet, OpenSSH encrypts all information (including usernames and passwords). In November 2012, The FreeBSD Security Team announced that hackers gained unauthorized access on two of
3300-416: Is a Linux distribution that can be booted from removable storage media such as optical discs or USB flash drives , instead of being installed on and booted from a hard disk drive . The portability of installation-free distributions makes them advantageous for applications such as demonstrations, borrowing someone else's computer, rescue operations, or as installation media for a standard distribution. When
3410-757: Is a Linux distribution; others, such as Google engineer Patrick Brady, disagree by noting the lack of support for many GNU tools in Android, including glibc . Other Linux-kernel-based operating systems include Tizen , Mer / Sailfish OS , KaiOS and Amazon's Kindle firmware . Lightweight Linux distributions are those that have been designed with support for older hardware in mind, allowing older hardware to still be used productively, or, for maximum possible speed in newer hardware by leaving more resources available for use by applications. Examples include Tiny Core Linux , Puppy Linux and Slitaz . Other distributions target specific niches, such as: The Free Standards Group
Security-Enhanced Linux - Misplaced Pages Continue
3520-496: Is about 3.67%. Many Linux distributions provide an installation system akin to that provided with other modern operating systems. Other distributions, including Gentoo Linux , provide only the binaries of a basic kernel, compilation tools, and an installer; the installer compiles all the requested software for the specific architecture of the user's computer, using these tools and the software's source code. Distributions are normally segmented into packages . Each package contains
3630-616: Is an operating system that includes the Linux kernel for its kernel functionality. Although the name does not imply product distribution per se, a distro, if distributed on its own, is often obtained via a website intended specifically for the purpose. Distros have been designed for a wide variety of systems ranging from personal computers (for example, Linux Mint ) to servers (for example, Red Hat Enterprise Linux ) and from embedded devices (for example, OpenWrt ) to supercomputers (for example, Rocks Cluster Distribution ). A distro typically includes many components in addition to
3740-531: Is an organization formed by major software and hardware vendors that aims to improve interoperability between different distributions. Among their proposed standards are the Linux Standard Base , which defines a common ABI and packaging system for Linux, and the Filesystem Hierarchy Standard which recommends a standard filenaming chart, notably the basic directory names found on the root of
3850-671: Is due to technical, organizational, and philosophical variation among vendors and users. The permissive licensing of free software means that users with sufficient knowledge and interest can customize any existing distribution, or design one to suit their own needs. Rolling Linux distributions are kept current using small and frequent updates . The terms partially rolling and partly rolling (along with synonyms semi-rolling and half-rolling ), fully rolling , truly rolling and optionally rolling are sometimes used by software developers and users. Repositories of rolling distributions usually contain very recent software releases —often
3960-502: Is faster, the user has fewer customization options. FreeBSD version 10.0 introduced the package manager pkg as a replacement for the previously used package tools. It is functionally similar to apt and yum in Linux distributions . It allows for installation, upgrading and removal of both ports and packages. In addition to pkg, PackageKit can also be used to access the Ports collection. First introduced in FreeBSD version 4, jails are
4070-681: Is generally released under a permissive BSD license , as opposed to the copyleft GPL used by Linux. The project includes a security team overseeing all software shipped in the base distribution. Third-party applications may be installed using the pkg package management system or from source via FreeBSD Ports . The project is supported and promoted by the FreeBSD Foundation . Much of FreeBSD's codebase has become an integral part of other operating systems such as Darwin (the basis for macOS , iOS , iPadOS , watchOS , and tvOS ), TrueNAS (an open-source NAS / SAN operating system), and
4180-552: Is more common for users to compile those programs directly on FreeBSD. No noticeable performance penalty over native FreeBSD programs has been noted when running Linux binaries, and, in some cases, these may even perform more smoothly than on Linux. However, the layer is not altogether seamless, and some Linux binaries are unusable or only partially usable on FreeBSD. There is support for system calls up to version 4.4.0 , available since FreeBSD 14.0 . As of release 10.3, FreeBSD can run 64-bit Linux binaries. FreeBSD has implemented
4290-510: Is not FreeBSD-specific so it deals with the technical aspects of all BSD-derived operating systems, including OpenBSD and NetBSD . In addition to BSDcon, three other annual conferences, EuroBSDCon, AsiaBSDCon and BSDCan take place in Europe , Japan and Canada respectively. The FreeBSD Project is run by around 500 committers or developers who have commit access to the master source code repositories and can develop, debug or enhance any part of
4400-489: Is not always acceptable. For specific requirements, much software must be carefully configured to be useful, to work correctly with other software, or to be secure, and local administrators are often obliged to spend time reviewing and reconfiguring it. Some (but not all) distributions go to considerable lengths to adjust and customize the software they include, and some provide configuration tools to help users do so. By obtaining and installing everything normally provided in
4510-404: Is not an emulation ; Linux's system call interface is implemented in the FreeBSD's kernel and hence, Linux executable images and shared libraries are treated the same as FreeBSD's native executable images and shared libraries. Additionally, FreeBSD provides compatibility layers for several other Unix-like operating systems , in addition to Linux, such as BSD/OS and SVR4 , however, it
Security-Enhanced Linux - Misplaced Pages Continue
4620-545: Is not available in source code form, such as a device driver binary . A distro may be described as a particular assortment of application and utility software (various GNU tools and libraries, for example), packaged with the Linux kernel in such a way that its capabilities meet users' needs. The software is usually adapted to the distribution and then combined into software packages by the distribution's maintainers. The software packages are available online in repositories , which are storage locations usually distributed around
4730-475: Is often asked to become a committer. FreeBSD developers maintain at least two branches of simultaneous development. The -CURRENT branch always represents the " bleeding edge " of FreeBSD development. A -STABLE branch of FreeBSD is created for each major version number, from which -RELEASE is cut about once every 4–6 months. If a feature is sufficiently stable and mature it will likely be backported ( MFC or Merge from CURRENT in FreeBSD developer slang) to
4840-424: Is often referred to as "distro hopping". Virtual machine software such as VirtualBox and VMware Workstation virtualize hardware allowing users to test live media on a virtual machine without installing to the real system. Some websites like DistroWatch offer lists of distributions, and link to screenshots of operating systems as a way to get a first impression of various distributions. Some distributions let
4950-513: Is sometimes possible on closely related distributions. There are several ways to install a Linux distribution. The most common method of installing Linux is by booting from a live USB memory stick , which can be created by using a USB image writer application and the ISO image, which can be downloaded from various Linux distribution websites. DVD disks, CD disks, network installations and even other hard drives can also be used as "installation media". In
5060-519: Is targeted policy which aims for maximum ease of use and thus is not as restrictive as it might be. Future versions of RHEL are planned to have more targets in the targeted policy which will mean more restrictive policies. SELinux can potentially control which activities a system allows each user, process, and daemon, with very precise specifications. It is used to confine daemons such as database engines or web servers that have clearly defined data access and activity rights. This limits potential harm from
5170-462: Is typically held in the device's firmware and may or may not be consumer-accessible. Anaconda , one of the more popular installers, is used by Red Hat Enterprise Linux , Fedora (which uses the Fedora Media Writer ) and other distributions to simplify the installation process. Debian, Ubuntu and many others use Debian-Installer . The process of constantly switching between distributions
5280-529: The Apple Macintosh , and proprietary versions of Unix . Most early adopters were familiar with Unix from work or school. They embraced Linux distributions for their low (or absent) cost, and the availability of the source code for most or all of their software. As of 2024, Linux has become more popular in server and embedded devices markets than in the desktop market. It is used in approximately 58.9% of web servers; its current operating system market share
5390-518: The Berkeley Fast File System . The BSD project was founded in 1976 by Bill Joy . But since BSD contained code from AT&T Unix, all recipients had to first get a license from AT&T in order to use BSD. In June 1989, "Networking Release 1" or simply Net-1 – the first public version of BSD – was released. After releasing Net-1, Keith Bostic , a developer of BSD, suggested replacing all AT&T code with freely-redistributable code under
5500-650: The FLASK /TE implementation have been made available via the TrustedBSD Project for the FreeBSD and Darwin operating systems. Security-Enhanced Linux implements the Flux Advanced Security Kernel (FLASK). Such a kernel contains architectural components prototyped in the Fluke operating system . These provide general support for enforcing many kinds of mandatory access control policies, including those based on
5610-664: The KAME project . Prior to version 11.0, FreeBSD supported IPX and AppleTalk protocols, but they are considered old and have now been dropped. As of FreeBSD 5.4, support for the Common Address Redundancy Protocol (CARP) was imported from the OpenBSD project. CARP allows multiple nodes to share a set of IP addresses, so if one of the nodes goes down, other nodes can still serve the requests. FreeBSD has several unique features related to storage. Soft updates can protect
SECTION 50
#17329022015455720-830: The NSA has adopted some of the SELinux concepts in Security-Enhanced Android . General Dynamics builds and distributes PitBull Trusted Operating System, a multilevel security (MLS) enhancement for Red Hat Enterprise Linux . Multi-Category Security (MCS) is an enhancement to SELinux for Red Hat Enterprise Linux that allows users to label files with categories, in order to further restrict access through discretionary access control and type enforcement. Categories provide additional compartments within sensitivity levels used by multilevel security (MLS). Linux distribution A Linux distribution (often abbreviated as distro )
5830-478: The National Security Agency 's Trusted UNIX (TRUSIX) Working Group, which met from 1987 to 1991 and published one Rainbow Book (#020A), and produced a formal model and associated evaluation evidence prototype (#020B) that was ultimately unpublished. SELinux was designed to demonstrate the value of mandatory access controls to the Linux community and how such controls could be added to Linux. Originally,
5940-513: The PlayStation 4 operating system is derived from FreeBSD 9. Netflix , WhatsApp , and FlightAware are also examples of large, successful and heavily network-oriented companies which are running FreeBSD. 386BSD and FreeBSD were both derived from BSD releases. In January 1992, Berkeley Software Design Inc. (BSDi) started to release BSD/386 , later called BSD/OS, an operating system similar to FreeBSD and based on 4.3BSD Net/2. AT&T filed
6050-645: The TrustedBSD project. The project was founded by Robert Watson with the goal of implementing concepts from the Common Criteria for Information Technology Security Evaluation and the Orange Book . This project is ongoing and many of its extensions have been integrated into FreeBSD. The project is supported by a variety of organizations, including the DARPA, NSA, Network Associates Laboratories, Safeport Network Services,
6160-425: The software development process , standard releases require significant development effort to keep old versions up-to-date by propagating bug fixes back to the newest branch, versus focusing on the newest development branch . Also, unlike rolling releases, standard releases require more than one code branch to be developed and maintained, which increases the workload of the software developers and maintainers. On
6270-400: The 1990s, Linux distributions were installed using sets of floppy disks but this has been abandoned by all major distributions. By the 2000s many distributions offered CD and DVD sets with the vital packages on the first disc and less important packages on later ones. Some distributions, such as Debian also enabled installation over a network after booting from either a set of floppy disks or
6380-577: The Dom0 privileged domain for the Xen type 1 hypervisor. Support for running as DomU (guest) has been available since FreeBSD 8.0. VirtualBox (without the closed-source Extension Pack ) and QEMU are available on FreeBSD. Most software that runs on Linux can run on FreeBSD using an optional built-in compatibility layer . Hence, most Linux binaries can be run on FreeBSD, including some proprietary applications distributed only in binary form. This compatibility layer
6490-461: The Linux kernel. Commonly, it includes a package manager , an init system (such as systemd , OpenRC , or runit ), GNU tools and libraries , documentation, IP network configuration utilities, the getty TTY setup program, and many more. To provide a desktop experience (most commonly the Mesa userspace graphics drivers) a display server (the most common being the X.org Server , or, more recently,
6600-553: The RISC-V architecture has been growing. The MIPS architecture port has been marked for deprecation and there is no image for any currently supported version. FreeBSD 12 supports SPARC but there is no image for FreeBSD 13. FreeBSD's TCP/IP stack is based on the 4.2BSD implementation of TCP/IP which greatly contributed to the widespread adoption of these protocols. FreeBSD also supports IPv6 , SCTP , IPSec , and wireless networking ( Wi-Fi ). The IPv6 and IPSec stacks were taken from
6710-567: The SELinux status: SELinux represents one of several possible approaches to the problem of restricting the actions that installed software can take. Another popular alternative is called AppArmor and is available on SUSE Linux Enterprise Server (SLES), openSUSE , and Debian-based platforms. AppArmor was developed as a component to the now-defunct Immunix Linux platform. Because AppArmor and SELinux differ radically from one another, they form distinct alternatives for software control. Whereas SELinux re-invents certain concepts to provide access to
SECTION 60
#17329022015456820-472: The SELinux tools to produce a single policy file. The resulting policy file can be loaded into the kernel to make it active. Loading and unloading policies does not require a reboot. The policy files are either hand written or can be generated from the more user friendly SELinux management tool. They are normally tested in permissive mode first, where violations are logged but allowed. The audit2allow tool can be used later to produce additional rules that extend
6930-648: The TrustedBSD MAC Framework has been adopted by Apple for macOS . FreeBSD has been ported to a variety of instruction set architectures . The FreeBSD project organizes architectures into tiers that characterize the level of support provided. Tier 1 architectures are mature and fully supported, e.g. it is the only tier "supported by the security officer". Tier 2 architectures are under active development but are not fully supported. Tier 3 architectures are experimental or are no longer under active development. As of December 2023 , FreeBSD has been ported to
7040-530: The University of Pennsylvania, Yahoo!, McAfee Research, SPARTA, Apple Computer, nCircle Network Security, Google, the University of Cambridge Computer Laboratory, and others. The project has also ported the NSA 's FLASK /TE implementation from SELinux to FreeBSD. Other work includes the development of OpenBSM , an open-source implementation of Sun's Basic Security Module (BSM) API and audit log file format, which supports an extensive security audit system. This
7150-590: The case of IBM PC compatibles , the OS is usually Microsoft Windows ; in the case of Apple 's Mac computers, it has always been macOS ; Sun Microsystems sold SPARC hardware with the Solaris installed; video game consoles such as the Xbox , PlayStation , Wii , and the Nintendo Switch each have their own proprietary OS. This limits Linux's market share: consumers are unaware that an alternative exists, they must make
7260-403: The concepts of type enforcement , role-based access control , and multilevel security . FLASK, in turn, was based on DTOS, a Mach-derived Distributed Trusted Operating System , as well as on Trusted Mach, a research project from Trusted Information Systems that had an influence on the design and implementation of DTOS. A comprehensive list of the original and external contributors to SELinux
7370-401: The confinement of damage that can be caused by malicious or flawed applications. It includes a set of sample security policy configuration files designed to meet common, general-purpose security goals. A Linux kernel integrating SELinux enforces mandatory access control policies that confine user programs and system services, as well as access to files and network resources. Limiting privilege to
7480-723: The consistency of the UFS filesystem (widely used on the BSDs) in the event of a system crash. Filesystem snapshots allow an image of a UFS filesystem at an instant in time to be efficiently created. Snapshots allow reliable backup of a live filesystem. GEOM is a modular framework that provides RAID (levels 0, 1, 3 currently), full disk encryption , journaling , concatenation, caching, and access to network-backed storage. GEOM allows building of complex storage solutions combining ("chaining") these mechanisms. FreeBSD provides two frameworks for data encryption: GBDE and Geli . Both GBDE and Geli operate at
7590-405: The correctness of the kernel and its security-policy configuration. While problems with the correctness or configuration of applications may allow the limited compromise of individual user programs and system daemons, they do not necessarily pose a threat to the security of other user programs and system daemons or to the security of the system as a whole. From a purist perspective, SELinux provides
7700-510: The default shell is sh for both root and regular users. The default scripting shell is the Almquist shell. FreeBSD is developed by a volunteer team located around the world. The developers use the Internet for all communication and many have not met each other in person. In addition to local user groups sponsored and attended by users, an annual conference, called BSDcon, is held by USENIX . BSDcon
7810-407: The desired application's source code , either from a local or remote repository , unpack it on the system, apply patches to it and compile it. Depending on the size of the source code, compiling can take a long time, but it gives the user more control over the process and its result. Most ports also have package counterparts (i.e. precompiled binaries), giving the user a choice. Although this method
7920-455: The disk level. GBDE was written by Poul-Henning Kamp and is distributed under the two-clause BSD license. Geli is an alternative to GBDE that was written by Pawel Jakub Dawidek and first appeared in FreeBSD 6.0. From 7.0 onward, FreeBSD supports the ZFS filesystem. ZFS was previously an open-source filesystem that was first developed by Sun Microsystems , but when Oracle acquired Sun, ZFS became
8030-648: The following architectures: The 32-bit ARM (including OTG) and MIPS support is mostly aimed at embedded systems ( ARM64 is also aimed at servers ), however FreeBSD/ARM runs on a number of single-board computers , including the BeagleBone Black , Raspberry Pi and Wandboard. Supported devices are listed in the FreeBSD 12.1-RELEASE Hardware Notes. The document describes the devices currently known to be supported by FreeBSD. Other configurations may also work, but simply have not been tested yet. Rough automatically extracted lists of supported device ids are available in
8140-475: The framework to allow these programs to be installed, which is known as the Ports collection. Applications may either be compiled from source ("ports"), provided their licensing terms allow this, or downloaded as precompiled binaries ("packages"). The Ports collection supports the current and stable branches of FreeBSD. Older releases are not supported and may or may not work correctly with an up-to-date Ports collection. Ports use Makefiles to automatically fetch
8250-799: The granting of commit access to the source code repositories. A number of responsibilities are officially assigned to other development teams by the FreeBSD Core Team, for example, responsibility for managing the ports collection is delegated to the Ports Management Team. In addition to developers, FreeBSD has thousands of "contributors". Contributors are also volunteers outside of the FreeBSD project who submit patches for consideration by committers, as they do not have commit access to FreeBSD's source code repository. Committers then evaluate contributors' submissions and decide what to accept and what to reject. A contributor who submits high-quality patches
8360-509: The integrity of the binary packages and determined that no unauthorized changes were made to the binary packages, but stated that it could not guarantee the integrity of packages that were downloaded between 19 September and 11 November. FreeBSD provides several security-related features including access-control lists (ACLs), security event auditing, extended file system attributes, mandatory access controls (MAC) and fine-grained capabilities . These security enhancements were developed by
8470-459: The latest stable versions available. They have pseudo-releases and installation media that are simply snapshots of the distribution at the time of the installation image's release. Typically, a rolling-release OS installed from older installation medium can be fully updated after it is installed. Depending on the usage case, there can be pros and cons to both standard release and rolling release software development methodologies . In terms of
8580-475: The launching of a process into an explicitly specified context (user, role, and domain), but SELinux may deny the transition if it is not approved by the policy. Files, network ports, and other hardware also have an SELinux context, consisting of a name, role (seldom used), and type. In the case of file systems, mapping between files and the security contexts is called labeling. The labeling is defined in policy files but can also be manually adjusted without changing
8690-405: The minimum required to work reduces or eliminates the ability of these programs and daemons to cause harm if faulty or compromised (for example via buffer overflows or misconfigurations). This confinement mechanism operates independently of the traditional Linux ( discretionary ) access control mechanisms. It has no concept of a "root" superuser , and does not share the well-known shortcomings of
8800-588: The name FreeBSD was chosen for the project. The first version of FreeBSD was released in November 1993. In the early days of the project's inception, a company named Walnut Creek CDROM , upon the suggestion of the two FreeBSD developers, agreed to release the operating system on CD-ROM . In addition to that, the company employed Jordan Hubbard and David Greenman, ran FreeBSD on its servers, sponsored FreeBSD conferences and published FreeBSD-related books, including The Complete FreeBSD by Greg Lehey . By 1997, FreeBSD
8910-435: The need to change the contents of the system's hard disk drive. The website DistroWatch lists many Linux distributions and displays some of the ones that have the most web traffic on the site. The Wikimedia Foundation released an analysis of the browser User Agents of visitors to WMF websites until 2015, which includes details of the most popular Operating System identifiers, including some Linux distributions. Many of
9020-797: The operating system is booted from a read-only medium such as a CD or DVD, any user data that needs to be retained between sessions cannot be stored on the boot device but must be written to another storage device, such as a USB flash drive or a hard disk drive. Many Linux distributions provide a "live" form in addition to their conventional form, which is a network-based or removable-media image intended to be used only for installation; such distributions include SUSE , Ubuntu, Linux Mint , MEPIS and Fedora Linux . Some distributions, including Knoppix , Puppy Linux , Devil-Linux, SuperGamer , SliTaz GNU/Linux and dyne:bolic , are designed primarily for live use. Additionally, some minimal distributions can be run directly from as little space as one floppy disk without
9130-477: The original BSD license . Work on replacing AT&T code began and, after 18 months, much of the AT&;T code was replaced. However, six files containing AT&T code remained in the kernel. The BSD developers decided to release the "Networking Release 2" (Net-2) without those six files. Net-2 was released in 1991. In 1992, several months after the release of Net-2, William and Lynne Jolitz wrote replacements for
9240-450: The other hand, software features and technology planning are easier in standard releases due to a better understanding of upcoming features in the next version(s). Software release cycles can also be synchronized with those of major upstream software projects, such as desktop environments . As for the user experience , standard releases are often viewed as more stable and bug-free since software conflicts can be more easily addressed and
9350-446: The other with a set of GNU utilities and tools for setting up a file system. Since the installation procedure was complicated, especially in the face of growing amounts of available software, distributions sprang up to simplify it. Early distributions included: The two oldest, still active distribution projects started in 1993. The SLS distribution was not well maintained, so in July 1993
9460-667: The patches that make up SELinux had to be explicitly applied to the Linux kernel source; SELinux was merged into the Linux kernel mainline in the 2.6 series of the Linux kernel. The NSA, the original primary developer of SELinux, released the first version to the open source development community under the GNU GPL on December 22, 2000. The software was merged into the mainline Linux kernel 2.6.0-test3, released on 8 August 2003. Other significant contributors include Red Hat , Network Associates , Secure Computing Corporation , Tresys Technology, and Trusted Computer Solutions. Experimental ports of
9570-478: The policies. Hardware types are quite detailed, for instance, bin_t (all files in the folder /bin) or postgresql_port_t (PostgreSQL port, 5432). The SELinux context for a remote file system can be specified explicitly at mount time. SELinux adds the -Z switch to the shell commands ls , ps , and some others, allowing the security context of the files or process to be seen. Typical policy rules consist of explicit permissions, for example, which domains
9680-618: The policy to allow all legitimate activities of the application being confined. SELinux features include: SELinux has been implemented in Android since version 4.3. Among free community-supported Linux distributions, Fedora was one of the earliest adopters, including support for it by default since Fedora Core 2. Other distributions include support for it such as Debian as of version 9 Stretch release and Ubuntu as of 8.04 Hardy Heron. As of version 11.1, openSUSE contains SELinux "basic enablement". SUSE Linux Enterprise 11 features SELinux as
9790-467: The popular distributions are listed below. Several operating systems include the Linux kernel, but have a userland that differs significantly from that of mainstream Linux distributions: Whether such operating systems count as a "Linux distribution" is a controversial topic. They use the Linux kernel, so the Linux Foundation and Chris DiBona , Google's former open-source chief, agree that Android
9900-457: The project's servers. These servers were turned off immediately. More research demonstrated that the first unauthorized access by hackers occurred on 19 September. Apparently hackers gained access to these servers by stealing SSH keys from one of the developers, not by exploiting a bug in the operating system itself. These two hacked servers were part of the infrastructure used to build third-party software packages. The FreeBSD Security Team checked
10010-448: The rolling release model can have advantages in timely security updates, fixing system or application security bugs and vulnerabilities , that standard releases may have to wait till the next release for or patch in various versions. In a rolling release distribution, where the user has chosen to run it as a highly dynamic system, the constant flux of software packages can introduce new unintended vulnerabilities. A "live" distribution
10120-407: The same time, but the kernel is shared among all of them. Hence only software supported by the FreeBSD kernel can be run within a jail. bhyve , a new virtualization solution, was introduced in FreeBSD 10.0. bhyve allows a user to run a number of guest operating systems (FreeBSD, OpenBSD , Linux , and Microsoft Windows ) simultaneously. Other operating systems such as Illumos are planned. bhyve
10230-436: The six AT&T files, ported BSD to Intel 80386 -based microprocessors, and called their new operating system 386BSD . They released 386BSD via an anonymous FTP server. The development flow of 386BSD was slow, and after a period of neglect, a group of 386BSD users including Nate Williams, Rod Grimes and Jordan Hubbard decided to branch out on their own so that they could keep the operating system up to date. On 19 June 1993,
10340-507: The software stack more thoroughly tested and evaluated, during the software development cycle. For this reason, they tend to be the preferred choice in enterprise environments and mission-critical tasks. However, rolling releases offer more current software which can also provide increased stability and fewer software bugs along with the additional benefits of new features, greater functionality, faster running speeds, and improved system and application security . Regarding software security ,
10450-419: The sysinstall program as its main installer. It was written in C by Jordan Hubbard . It uses a text user interface , and is divided into a number of menus and screens that can be used to configure and control the installation process. It can also be used to install Ports and Packages as an alternative to the command-line interface . The sysinstall utility is now considered deprecated in favor of bsdinstall,
10560-756: The system software for the PlayStation 3 and PlayStation 4 game consoles. The other current BSD systems ( OpenBSD , NetBSD , and DragonFly BSD ) also contain a large amount of FreeBSD code, and vice-versa. In 1974, Professor Bob Fabry of the University of California, Berkeley , acquired a Unix source license from AT&T . Supported by funding from DARPA , the Computer Systems Research Group started to modify and improve AT&T Research Unix. The group called this modified version "Berkeley Unix" or " Berkeley Software Distribution " (BSD), implementing features such as TCP/IP , virtual memory , and
10670-501: The system. Most of the developers are volunteers and few developers are paid by some companies. There are several kinds of committers, including source committers (base operating system), doc committers (documentation and website authors) and ports (third-party application porting and infrastructure). Every two years the FreeBSD committers select a 9-member FreeBSD Core Team, which is responsible for overall project direction, setting and enforcing project rules and approving new committers, or
10780-463: The traditional Linux security mechanisms, such as a dependence on setuid / setgid binaries. The security of an "unmodified" Linux system (a system without SELinux) depends on the correctness of the kernel, of all the privileged applications, and of each of their configurations. A fault in any one of these areas may allow the compromise of the entire system. In contrast, the security of a "modified" system (based on an SELinux kernel) depends primarily on
10890-435: The tree of any Linux filesystem. Those standards, however, see limited use, even among the distributions developed by members of the organization. The diversity of Linux distributions means that not all software runs on all distributions, depending on what libraries and other system attributes are required. Packaged software and software repositories are usually specific to a particular distribution, though cross-installation
11000-462: The user install Linux on top of their current system, such as WinLinux or coLinux . Linux is installed to the Windows hard disk partition, and can be started from inside Windows itself. Virtual machines (such as VirtualBox or VMware ) also make it possible for Linux to be run inside another OS. The VM software simulates a separate computer onto which the Linux system is installed. After installation,
11110-400: The user must possess to perform certain actions with the given target (read, execute, or, in case of network port, bind or connect), and so on. More complex mappings are also possible, involving roles and security levels. A typical policy consists of a mapping (labeling) file, a rule file, and an interface file, that define the domain transition. These three files must be compiled together with
11220-640: The virtual machine can be booted as if it were an independent computer. Various tools are also available to perform full dual-boot installations from existing platforms without a CD, most notably: Some specific proprietary software products are not available in any form for Linux. As of September 2015, the Steam gaming service has over 1,500 games available on Linux, compared to 2,323 games for Mac and 6,500 Windows games. Emulation and API-translation projects like Wine and CrossOver make it possible to run non-Linux-based software on Linux systems, either by emulating
11330-724: The world. Beside "glue" components, such as the distribution installers (for example, Debian-Installer and Anaconda ) and the package management systems, very few packages are actually written by a distribution's maintainers. Distributions have been designed for a wide range of computing environments, including desktops , servers , laptops , netbooks , mobile devices (phones and tablets), and embedded systems . There are commercially backed distributions, such as Fedora Linux ( Red Hat ), openSUSE ( SUSE ) and Ubuntu ( Canonical Ltd. ), and entirely community-driven distributions, such as Debian , Slackware , Gentoo and Arch Linux . Most distributions come ready-to-use and prebuilt for
11440-451: Was Walnut Creek's "most successful product". The company later renamed itself to The FreeBSD Mall and later iXsystems . Today, FreeBSD is used by many IT companies such as IBM , Nokia , Juniper Networks , and NetApp to build their products. Certain parts of Apple 's Mac OS X operating system are based on FreeBSD. Both the PlayStation 3 and Nintendo Switch operating system also borrow certain components from FreeBSD, while
11550-573: Was hosted at the NSA website until maintenance ceased sometime in 2009. The following list reproduces the original as preserved by the Internet Archive Wayback Machine. The scope of their contributions was listed in the page and has been omitted for brevity, but it can be accessed through the archived copy. SELinux users and roles do not have to be related to the actual system users and roles. For every current user or process, SELinux assigns
11660-434: Was introduced in FreeBSD 5.0, using an M:N threading model . This model works well in theory, but it is hard to implement and few operating systems support it. Although FreeBSD's implementation of this model worked, it did not perform well, so from version 7.0 onward, FreeBSD started using a 1:1 threading model , called libthr. FreeBSD's documentation consists of its handbooks, manual pages, mailing list archives, FAQs and
11770-438: Was released in 1993 developed from 386BSD — the first free Unix system — and has since continously been the most commonly used BSD-derived operating system. FreeBSD maintains a complete system, delivering a kernel , device drivers , userland utilities, and documentation, as opposed to Linux only delivering a kernel and drivers, and relying on third-parties such as GNU for system software. The FreeBSD source code
11880-400: Was released in November 1994, was the first version of FreeBSD without any code from AT&T. FreeBSD contains a significant collection of server-related software in the base system and the ports collection, allowing FreeBSD to be configured and used as a mail server , web server , firewall , FTP server , DNS server and a router , among other applications. FreeBSD can be installed on
11990-520: Was shipped as part of FreeBSD 6.2. Other infrastructure work in FreeBSD performed as part of the TrustedBSD Project has included GEOM and OpenPAM. Most components of the TrustedBSD project are eventually folded into the main sources for FreeBSD. In addition, many features, once fully matured, find their way into other operating systems. For example, OpenPAM has been adopted by NetBSD . Moreover,
12100-602: Was written by Neel Natu and Peter Grehan and was announced in the 2011 BSDCan conference for the first time. The main difference between bhyve and FreeBSD jails is that jails are an operating system-level virtualization and therefore limited to only FreeBSD guests; but bhyve is a type 2 hypervisor and is not limited to only FreeBSD guests. For comparison, bhyve is a similar technology to KVM whereas jails are closer to LXC containers or Solaris Zones . Amazon EC2 AMI instances are also supported via amazon-ssm-agent Since FreeBSD 11.0, there has been support for running as
#544455