Novell heeds SUSE users' call for SELinux security option

By Pam Derringer, News Writer 05 Sep 2008 | SearchEnterpriseLinux.com

Enterprise Linux headlines Digg This!     StumbleUpon     Del.icio.us

For more on Linux security: SELinux now enabled in AppArmor's openSUSE Solaris 10 Trusted Extensions vs. SELinux LinuxWorld preview: IBM engineer touts SELinux

In response to some requests, the Waltham, Mass.-based company has decided to stop disabling SELinux within the Linux kernel, starting with the next version of OpenSUSE 11.1, which is expected in December, and SUSE Linux Enterprise 11 for servers and desktops which will follow in the first half of 2009.

But the change does not mean that Novell will back AppArmor any less. In fact, Novell will not offer support for SELinux. So users who try it are on their own, according to Holger Dyroff, Novell's vice president of product management for SUSE Linux.

"We had some demand from people who wanted to try out SELinux," Dyroff said. "But we still recommend AppArmor."

We had some demand from people who wanted to try out SELinux. But we still recommend AppArmor. Holger Dyroff, VP of product management, Novell Inc.

According to Novell's Dyroff, both security tools provide the same basic function of intrusion prevention, which ensures that an intruder that gains unauthorized entry to an environment has no rights and cannot do anything except look at a file and cannot go anywhere else. These safeguards help contain the damage.

Where AppArmor and SELinux differ is that SELinux adds a framework for complex rules-based access policies, which an administrator has to create, defining who has the rights to see documents with different levels of security restrictions, Dyroff said. Once established, these access policies are automatically and absolutely enforced.

But SELinux involves clear tradeoffs in terms of ease of use. The problem is that SELinux is built on such a complex architecture that it is difficult to use or configure without a doctorate in mathematics, Dyroff said. Once a user begins customizing an SELinux install, the structure of the underlying framework becomes even more obscure, he added.

In contrast, AppArmor simply builds a firewall around an application and defines which files can be read, written or executed in a straightforward manner; it's easy for anyone who understands file system rules to administer, Dyroff said. Further, AppArmor offers sufficient protection for nearly all businesses, he said. Only the U.S. military needs the extra access controls that SELinux provides.

But Walsh predicted that over time, as administrators get used to SELinux, its controls will be activated more and more (instead of being turned off).

SELinux's complexity was an important theme at the recent LinuxWorld Conference & Expo this summer, with Shankar and other security speakers agreeing that if SELinux is to move beyond early adoption, the tool needs to become easier to use.

But even if SELinux does become more user-friendly, its access controls don't automatically confer security on an operating system or application, they said. The reason: applications are shipped with all the settings at the broadest range to avoid crashing upon install and, therefore, do not provide airtight access protection until administrators create access control policies.

Meanwhile, Novell's quest for the perfect Linux security tool continues. Even as it has restored SELinux functionality to SUSE's Linux kernel, Novell has added controls for network devices to AppArmor and exploring other security solutions with a simpler architecture than SELinux, Dyroff said. The effort isn't intensive, however, because there isn't enough demand, he added.

Let us know what you think about the story; email Pam Derringer, News Writer . And check out Enterprise Linux Log.

Tags: Linux security tools,  SUSE Linux Enterprise,  Linux administration and management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Linux security tools Using BackTrack to check for Linux vulnerabilities An open source security language: What is OVAL? What do you know about Linux administration tools? Using OpenSSH for secure network tunnels on Linux When to use SELinux: An introduction to security-enhanced Linux After delay, Fedora 10 finally available Linux open source firewall software options GroundWork adds network monitoring tools to systems management suite SE-Postgres tightens SQL security Upcoming Fedora 10 release foreshadows Red Hat Enterprise Linux 6 SUSE Linux Enterprise Creating virtual appliances with Novell SUSE Studio La Curacao replaces Netware with Novell SUSE XenServer 5.5 supports SUSE 11 and Red Hat 5.3 and role based Active Directory Is SUSE Linux Enterprise 11 worth the upgrade? Red Hat breaks $500 million in 2008 Novell SUSE 11 to boost virtualization and improve interoperability, new VP says When to use SELinux: An introduction to security-enhanced Linux Enterprise Linux 2008: The year in review Novell's open source products are its strength SUSE Linux management pack scheduled for early 2009 release Linux administration and management Recovering a lost administration password on Ubuntu Server How to fix master boot record partition table problems Fixing Linux boot problems with GRUB Learning the craft of Linux administration with "Pro Linux System Administration" Troubleshooting Linux boot problems The Ext4 file system: A real improvement in Linux file storage? A look at real-world exploits of Linux security vulnerabilities Using virtualization to reinvent high-performance computing on Linux Five common Linux security vulnerabilities you may be overlooking Building a Linux infrastructure with maximum automation

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Heartbeat  (SearchEnterpriseLinux.com) tty command  (SearchEnterpriseLinux.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary