LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Distributions page

Recent Features

LWN.net Weekly Edition for July 2, 2009

RealtimeKit and the audio problem

VFAT patent avoidance and patent workarounds

LWN.net Weekly Edition for June 25, 2009

Apache attacked by a "slow loris"

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

openSUSE to add SELinux

[Posted August 21, 2008 by corbet]

From:  Andreas Jaeger <aj-AT-suse.de>
To:  opensuse-factory-AT-opensuse.org
Subject:  openSUSE to add SELinux Basic Enablement in 11.1
Date:  Wed, 20 Aug 2008 16:58:09 +0200
Message-ID:  <howsibag3i.fsf@reger.suse.de>
Archive-link:  Article, Thread 


I just published the following on news.opensuse.org:

We have exciting news for security enthusiasts, experts, and paranoid people!

Beginning with openSUSE 11.1, SUSE users will have an additional option
regarding security frameworks. In addition to AppArmor, we will be
adding SELinux capabilities in openSUSE 11.1, which will allow users to
enable SELinux in openSUSE if they wish.

While our customer experience shows that AppArmor is the best solution
for the vast majority of users, applications, and use cases, we want to
give all of our users the ability to choose the security framework
that? appropriate for their respective environments and needs.

We continue to enable AppArmor as our default Host Intrusion Prevention
System, and we are supporting it as the default in openSUSE 11.1 and in
SUSE Linux Enterprise 11.

However we are adding functionality to allow openSUSE 11.1 systems to
use SELinux instead. In the SUSE Linux Enterprise 11 platform, SELinux
will also be shipped as a technology preview. This is particularly
important for organizations that have already standardized on SELinux,
but could not even test-drive SUSE Linux Enterprise before without major
work and changes.

What does SELinux basic enablement mean?

    * We will ship the kernel with SELinux support.
    * We will apply SELinux patches to all ?common? userland packages.
    * The libraries required for SELinux (libselinux, libsepol,
      libsemanage, etc.) will be added to openSUSE and SUSE Linux
      Enterprise.
    * However, we are not offering enterprise class support for SELinux
      at this time; thus we will run QA with SELinux disabled ? to make
      sure that SELinux patches don? break the default delivery and the
      majority of packages.  
      Although we will not be running QA with SELinux enabled, we
      encourage our testers to run tests with SELinux enabled and report
      issues and enhancement requests back to us.
    * We will not be shipping SELinux specific tools as part of the
      default distribution delivery. However, the packages (such as
      checkpolicy, policycoreutils, selinux-doc) will be available
      through the openSUSE and SUSE Linux Enterprise repositories.
    * We will not be shipping any SELinux policies in the
      distribution. (Reference and maybe minimal policies will be
      available from the repositories.)

By enabling SELinux in our upcoming codebase, we add missing pieces of
code that exist in the community already, and we allow those who wish to
use SELinux to do so conveniently without having to replace a big chunk
of the distribution.

Questions about SELinux enablement should be discussed on the
opensuse-factory mailing list.

Andreas
-- 
 Andreas Jaeger, Director Platform / openSUSE, aj@suse.de
  SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)
   Maxfeldstr. 5, 90409 Nürnberg, Germany
    GPG fingerprint = 93A3 365E CE47 B889 DF7F  FED1 389A 563C C272 A126
(Log in to post comments)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds