First released to the public in January 2001, Security-Enhanced Linux (SELinux) is a research project from the NSA that seeks to enhance the open-source Linux kernel: to provide greater protection against corruption; to prevent the bypassing of application security procedures; and to mitigate the destruction caused by malicious or defective applications.
Normal Linux vs. SELinux
Normal Linux system security relies on the kernel and the dependencies created through the setuid/setgid binaries. Under the conventional security mechanism, an exploit of a flaw with any privileged application, configuration, or process running usually leads to a total system compromise. This problem is consistent with most modern operating systems due to their complexity and interoperability with other applications.
SELinux relies solely on the kernel and the security configuration policy. Once you configure the security system correctly, improper application configuration or exploits of flawed applications and daemons will only result in compromising the user program and its system daemons. The security of other user programs and daemons remains intact, along with the underlying security system structure.
In simpler terms: no single application configuration flaw or exploit can result in a total system compromise.
Installing SELinux
The SELinux kernel, utilities, daemon/utility patches, and documentation are available for download from the Security-Enhanced Linux Web site. You must have an existing Linux system to compile your new kernel and access to unmodified system packages.
Developers have tested the current release with the Red Hat Linux distribution. The binaries are compatible with current Linux applications and include system calls for applications that are security-aware.
Talkback
How does SELinux stack up against grsecurity patch at www.grsecurity.org