Home Home > 2008 > 08 > 20 > openSUSE to Add SELinux Basic Enablement in 11.1
Sign up | Login

openSUSE to Add SELinux Basic Enablement in 11.1

August 20th, 2008 by

We have exciting news for security enthusiasts, experts, and paranoid people!

Beginning with openSUSE 11.1, SUSE users will have an additional option regarding security frameworks. In addition to AppArmor, we will be adding SELinux capabilities in openSUSE 11.1, which will allow users to enable SELinux in openSUSE if they wish.

While our customer experience shows that AppArmor is the best solution for the vast majority of users, applications, and use cases, we want to give all of our users the ability to choose the security framework that’s appropriate for their respective environments and needs.

We continue to enable AppArmor as our default Host Intrusion Prevention System, and we are supporting it as the default in openSUSE 11.1 and in SUSE Linux Enterprise 11.

However we are adding functionality to allow openSUSE 11.1 systems to use SELinux instead. In the SUSE Linux Enterprise 11 platform, SELinux will also be shipped as a technology preview. This is particularly important for organizations that have already standardized on SELinux, but could not even test-drive SUSE Linux Enterprise before without major work and changes.

What does SELinux basic enablement mean?

  • We will ship the kernel with SELinux support.
  • We will apply SELinux patches to all “common” userland packages.
  • The libraries required for SELinux (libselinux, libsepol, libsemanage, etc.) will be added to openSUSE and SUSE Linux Enterprise.
  • However, we are not offering enterprise class support for SELinux at this time; thus we will run QA with SELinux disabled – to make sure that SELinux patches don’t break the default delivery and the majority of packages.
    Although we will not be running QA with SELinux enabled, we encourage our testers to run tests with SELinux enabled and report issues and enhancement requests back to us.
  • We will not be shipping SELinux specific tools as part of the default distribution delivery. However, the packages (such as checkpolicy, policycoreutils, selinux-doc) will be available through the openSUSE and SUSE Linux Enterprise repositories.
  • We will not be shipping any SELinux policies in the distribution. (Reference and maybe minimal policies will be available from the repositories.)

By enabling SELinux in our upcoming codebase, we add missing pieces of code that exist in the community already, and we allow those who wish to use SELinux to do so conveniently without having to replace a big chunk of the distribution.

Questions about SELinux enablement should be discussed on the opensuse-factory mailing list.

Andreas

Both comments and pings are currently closed.

32 Responses to “openSUSE to Add SELinux Basic Enablement in 11.1”

  1. OpenSUSE

    Hey the new’s GREAT
    long live OpenSUSE

  2. Security paranoid people (like me :) ) are waiting for encryption of the root partition in OpenSUSE. Currently OpenSUSE is behind Fedora and Ubunty in this area :(

    • Bliss

      True, I would like to see full system encryption in my favorite distro too!

      • Marcus Meissner

        Full disk encryption is mostly implemented for 11.1.

        But it brings interesting problems, like how to handle Laptop suspend and resume and so on.

        • Bliss

          So it will be enabled and an option upon install in 11.1?! That would be great indeed.

    • Andreas Jaeger

      I don’t think that clean patches would be rejected ;)

    • I have more idea for encryption.. It would be fine have every home directory like /home/marek and /home/diff-user stored in img. file at /home/marek.img and /home/diff-user.img and both of this file encrypted with different (configurable by user) algorithm and different key (maybe with same like log-in password). In time of login this img can be mounted to related mountpoint in home. (And off course in time of log-out images are unmounted and keys in memory are rewriten by string from pseudorandom generator) This perform encryption protection for every user on multiuser desktops and notebooks. :-) What you think? Is this an idea for openFATE?

  3. jengelh

    Wait wait wait. SELinux was briefly in the 9.x series SUSE IIRC, and then it got ripped out again — probably with good reason. Why would it be added back again?

    • Marcus Meissner

      For SLES 9, yes.

      But at this time the userland patches were massive and not in the upstream packages, which they are now.

      So in earlier times it was a high maintenance burden on us for no gain.

      Now SELinux has matured and userland utilities have it in their versions, so adding them does not incur much
      additional costs.

      Also customer are requesting the ability to enable SELinux, and those changes are required. (Even if we do not support
      it out of the box.)

      Ciao, Marcus

  4. Security it’s never too much… bring on the encryption of the root partition!!!

  5. Tahvok

    Where can someone newbie like me learn more about the encryption for root, and why we need it? link please :)

  6. jonathan

    yeah, i’m a newbie too and i’ve got no idea what is so exciting about this article. can anyone give us a link so that we’ll know more about all this security and encription thing?

  7. praveenkunjapur

    @Tahvok and Jonathan: You can check this link for more info about encryption – http://en.wikipedia.org/wiki/Encryption .
    Please make sure you also check the ‘See also’ section in the same page which gives links to Cryptography, Cold boot attack, Encryption software, Cipher, Key, Full Disk Encryption and Secure Network Communications.

  8. Caladan

    Just a small question to the people who talk about root encryption, are you using truecrypt 5 or if not why not, it seems it can do just that or ?

    • Bliss

      Truecrypt full disk encryption is windows only. For linux no third party stuff is necessary (well, if the distro supports it).

  9. kwins

    But we wait :D

  10. neo

    “But at this time the userland patches were massive and not in the upstream packages, which they are now.”

    Yes, because Red Hat did the work in getting those patches in. Instead of ripping it out earlier, Novell could have helped but they were busy spreading FUD against SELinux.

    “Also customer are requesting the ability to enable SELinux, and those changes are required. (Even if we do not support
    it out of the box.)”

    Oh, you will support it soon. Novell fired the entire AppArmor team and you are going to have to support SELinux and eat crow about your earlier statements.

    http://etbe.coker.com.au/2008/08/23/apparmor-is-dead/

    This is typical Novell. Dropping support all the time after adopting some technology in competition to Red Hat and then later following what Red Hat does. Making GNOME default in SLES, making ext3 default, dropping support for various other technologies etc etc.

    • moz

      I agree with you to a point Neo. Novell, and Red Hat for that matter, tend to go out of their way to adopt something different to each other.

      The statement about adopting GNOME goes a far though. They did purchase Ximian – you know, the people who created GNOME so it stands to reason they would adopt it as the default graphical environment.

      Reiserfs, well who could have predicted that Hans was an axe wielding manic and convicted of murder.

  11. Tim

    > We will ship the kernel with SELinux support.

    Wow, really ? I thought SELinux support is part of 2.6 ?

    > However, we are not offering enterprise class support for SELinux at this time; thus we will run QA with SELinux disabled

    Which translates to “We don’t care, play yourself if you want. If you find any problems, let us know and send a fix”

    > We will not be shipping SELinux specific tools as part of the default distribution delivery.

    Why ?

    > We will not be shipping any SELinux policies in the distribution. (Reference and maybe minimal policies will be available from the repositories.)

    An that explains everything – without policy, SELinux is useless.

    • Andreas Jaeger

      Tim, SELinux is part of the Linux 2.6 kernel but it’s need to be enabled. The sentence means “We will ship your binary kernel with SELinux support enabled”.

      openSUSE 11.1 will only have the basic SELinux support – and then let’s see where we go from there. If anybody is interested, they can add profiles on their own – and we can integrate later profiles if needed. With the timeframe of openSUSE 11.1 anything beyond the basic enablement is not doable.

  12. neo

    “Tim, SELinux is part of the Linux 2.6 kernel but it’s need to be enabled. The sentence means “We will ship your binary kernel with SELinux support enabled”.”

    Big deal. Either support it properly or don’t support it. What’s with the half baked job you are doing now?

    “With the timeframe of openSUSE 11.1 anything beyond the basic enablement is not doable.”

    It is, if you had spend your time working on proper support. You fired the entire AppArmor team anyway. So why not concentrate on SELinux?

  13. Tim

    “You fired the entire AppArmor team anyway. So why not concentrate on SELinux?”

    Let’s calm down and give them some time. They probably already realized that AppArmor was a mistake. Perhaps it was easy, friendly and nice but not necessarily a way to compete with Redhat in terms of real security. Hopefully, this decision is just the beginning and not only PR noise.

    • anonymous

      > Let’s calm down and give them some time.

      Just kidding? After 8 years, when Suse gets bigger and very buggy, “some time” is more than over!

      Come on, *every* other distribution try to get better and every Suse version disappoint most people because of primitive errors, special configuration system + locations and Yast failures.

      With Novell onboard, Suse becomes really awful.

  14. neo

    “Let’s calm down and give them some time”

    How much time? 2.6 kernel even during a pre-release had support for SELinux. Fedora had it in Fedora Core 2 (released in May 18th 2004). Fedora Core 3 (released in November 8th 2004) had it enabled by default. Red Hat commercially supported it and enabled it by default starting from RHEL 4 (released in 15 Feb 05). Due to this, RHEL 5 has the highest grade security certification among any commercially available off the shelf operating system.

    http://www.press.redhat.com/2007/03/14/red-hat-enterprise-linux-5-security/

    Meanwhile Novell was busy spreading FUD against SELinux. That might have been acceptable had they supported an alternative properly but they fired the entire apparmor team and the lead is now working for Microsoft!. Ok, so you made a mistake. Why not accept that and support what Red Hat has supported and got various upstream projects to support fully instead of what Novell is doing at the moment? This is horrible NIH really.

  15. Andreas Jaeger

    Neo, Novell did not fire the entire AppArmor team, there are still engineers working on it.

    Btw. SUSE Linux Enterprise Server 9 was the first Linux OS to be EAL4+ certified and SLES10 is as well.

  16. neo

    “Novell did not fire the entire AppArmor team”

    Your company claimed otherwise in the press. Do I need to remind you? Your company said now it is community support which is laughable for a supposedly enterprise product

    //news.cnet.com/8301-13580_3-9796140-39.html?part=rss&subj=news&tag=2547-1_3-0-5

    If you disagree with your employer, Name them. How many people? You are supposed to be a open source company, right?

    “Btw. SUSE Linux Enterprise Server 9 was the first Linux OS to be EAL4+ certified and SLES10 is as well.”

    EAL4+. yes but not CAPP, RBAC and LSPP

    • Andreas Jaeger

      Neo, you are referencing an interview with Crispin where he makes some statements not Novell does them.

  17. neo

    “you are referencing an interview with Crispin where he makes some statements not Novell does them”

    Oh, I must be hallucinating then.

    “”An open-source AppArmor community has developed. We’ll continue to partner with this community,” … Lowry said.”

    That is Novell spokesman Bruce Lowry explaining why Novell fired the team. Crispin was your lead developer so I am pretty sure what Novell has done. Perhaps you have a way to differentiate Novell from Novell spokesperson as well. I wouldn’t know. Educate me about it. If you have a enterprise product, wouldn’t you need in-house engineers actively developing and maintaining them for customers? How does firing the team help with that? If customers wanted a “community”, they wouldn’t pay a commercial organization like Novell to support them, right? Who is supporting AppArmor in Novell now? Name the engineers please. I ask because I know them all. I haven’t seen any major features after the team was fired.

    Also now that Novell has started enabling SELinux (even though SELinux without policy is silly beyond belief), how about correcting all the misinformation from your sales team that SELinux policy changes always require rebooting your system?

  18. Tim

    “how about correcting all the misinformation from your sales team that SELinux policy changes always require rebooting your system?”

    Heh, I also remember claims that applications need to be recompiled to be “fully” (whatever it means) protected by SELinux.

  19. quickshade

    The Cnet article states 4 people got laid off, so unless it was only 4 people working on the project I’m sure there are others. Not to mention maybe someone else picked up the slack, maybe novell realized they had to many people spread out in to many areas. For the most part community developed software seems to be coming along fine anyways. I prefer app armor. It works much better and doesn’t block stupid programs that shouldn’t be blocked in the first place. It’s also way easier to configure and shutoff, unlike SElinux, which DOES require a restart. Not even windows requires that. Plus keeping 2 programs alive make for healthy competition, something that has really made novell shine (since Ubuntu started kicking some ass.)

  20. Thanks and you

  21. UTAKA

    SHUUUUT UUUUUP, ALL YOU DO IS TAAAAAAAAAAAAAALK