Submitted by It’s official: SELinux is now available in the Ubuntu development (‘Hardy Heron’) distribution. “This is the result of the amazing work of the ubuntu-security and ubuntu-hardened teams, as well as the huge contributions from the folks at Tresys (SELinux will not be the default, but is available as a security option).” In other news, Sun has started offering Ubuntu as an option.
Since it’s not installed by default, I wonder how well it will work with all the software in Ubuntu’s huge repositories. Will there be enough Ubuntu users testing it?
Likely not in the short term. When Fedora adopted SELinux in Fedora Core 2 it caused a lot of issues and ended up being disabled by default. Then a targeted policy was designed with just about a dozen programs for Fedora Core 3 and then enabled by default.
Over a period of 6 releases, a lot of policy development, additional tools development, performance etc has been done where it has slowly gotten into the stage where most of the thorny issues are resolved and it works seamlessly for quite a large number of users
Ubuntu (and any other distros) introducing SELinux even disabled by default currently is a good first step before getting rest of the programs working together with SELinux which is actually the bigger part of the integration work that needs to be done. They could probably benefit a lot from adopting policies and tools development done within Fedora and making adjustments where necessary. More distributions adopting this technology is good for improving the overall state of security in Linux since writing policies tends to expose potentially security issues and if you end up disabling SELinux for some programs or even entirely you still get a lot of the residue benefits from it.
James Morris, one of the Red Hat SELinux developer posted his thoughts on
http://james-morris.livejournal.com/27494.html
Edited 2008-03-19 23:54 UTC
even though im a fedora user id like to see it get more testing and adoption.
ubuntu aims for desktop users so it will be interesting to see how they use it. fedoras targeted policy works well for servers. maybe ubuntu folks will focus on things like browser integration or desktop.
SELinux in Fedora already covers desktop quite well including programs like HAL. In Fedora 9, Xorg will have a SELinux framework and browser integration is being developed too.
http://danwalsh.livejournal.com/15700.html#cutid1
My impression is that SELinux is not the sort of thing that you can throw into the repository and say “Hey! Now we have SELinux!”. It’s taken Fedora 7 releases, and 4 years to get it to where it is now in their distros. (And it still needs some work or we wouldn’t still see so many “discussions” about whether its reasonable to turn it off.) Even the most optimistic among us would not try to argue that it was ready before FC6, which would make it 5 releases and 3 years.
Frankly, I’d like to see SELinux/Fedora go head to head with AppArmor/Ubuntu and see which one comes out on top in real world competition. IMO, too many are ready to summarily declare SELinux the victor.
Edited 2008-03-20 14:24 UTC
Debian has had selinux packages in the repositories for a long time now, but for some reason Ubuntu had gone with apparmor instead.
Though I’ve never tried actually setting SELinux up in Debian, every time I had tried Fedora, I ended up disabling it, because it was just annoying me. But that was a few releases ago, and I’d just automatically disable it during install on the later releases, so I’m not really qualified to say if it’s still getting in the way on anything newer than Fedora 6.
Even “disabled”, it’s still impacting performance unless you manually add “selinux=0” to your kernel boot string. SELinux is kind of like lice. Once your machine is infested, it’s very difficult to really get rid of it.
I sense a little dichotomy here. If it’s as simple as adding selinux=0 to your kernel boot string, where’s the “very difficult” bit?
Not a rhetorical question, I frankly have no idea of kernel level SELinux mechanisms.
The “difficult” bit (perhaps “tricky” might have been a better term) is knowing that you can’t just disable it and have it really be out of the way. “Disabling” SELinux during the install, or afterward, merely causes it not to load a policy. I imagine that most people who think they have it disabled really don’t, not realizing that you have to manually edit grub.conf to add the right string after every kernel upgrade to avoid the “SELinux tax” on performance.
Edited 2008-03-20 12:16 UTC
I’ve heard that trick before.
Doesn’t that switch have to be compiled into the kernel to work?
Yes. I’d forgotten about that. If the current kernel has not been compiled to honor that parameter, the user has to recompile the kernel to avoid the SELinux tax. I don’t believe that Redhat and Fedora go quite *that* far out of their way to make it hard to turn off. Typically, they won’t actively fight users. But don’t expect them to lift a finger to help users do anything of which they do not approve.
Hmm… The Fedora Core 3 selinux FAQ mentions the boot switch, but I can’t find anything about Fedora 8.
http://docs.fedoraproject.org/selinux-faq-fc3/index.html#id2825880
I’ll have to try this.
Nevermind I found it indirectly.
http://www.fedorafaq.org/#reiserjfs
Do you have a source for that?
My Google-fu failed me – I just find information about the performance loss when actually using it.
As I recall it is in the FC5 SELinux FAQ.
You are apparently relying on very outdated information. This was true on Fedora Core 2 but not on the recent releases. There should no performance difference in between disabling it via the configuration or using the boot loader option.
Well, that’s nice to hear. The FC5 SELinux FAQ implies it to still be true. It is, so far as I know, the latest one out. Sounds like the latest FAQ is not only out of date, but erroneous, as well. If the information provided by the project is “very outdated” then it will be “very outdated information” upon which people will rely.
Edited 2008-03-20 20:43 UTC
Where does it imply that? IMO, you should take more care to verify something before posting information and providing your sources so others can independently know what you are talking about esp when you do so repeatedly.
If people had realized you are talking about a FAQ which is no longer maintained and based on Fedora Core 5 release, that adds a lot of additional context that is missing otherwise. The FAQ already says that information in that FAQ must be considered specific to the release.
http://docs.fedoraproject.org/selinux-faq-fc5/
“This FAQ is specific to Fedora Core 5”
Extrapolating that to automatically apply to the latest release is misleading. A lot of details has changed in between that and the current releases.
Edited 2008-03-20 21:12 UTC
Well, if we are playing the “you should…” game, then I guess “you should” provide a FAQ later than the FC5 one. Don’t fail to provide an up to date FAQ and then get mad when you find that people are unaware of the latest info.
The FAQ clearly says it is release specific and nowhere does it imply as far as i can see any performance difference between disabling SELinux via a configuration file or a boot option as you claimed it did. I am not mad at anyone. Merely saying you are wrong and you have no reference for your claims.
Edited 2008-03-20 21:30 UTC
Very well. I’ll run sysbench and post my results.
No you’re not
because SELinux troubleshooting has been further refined all the time since Fedora 6.
Although one might argue that most desktop users don’t really need SELinux, I have never disabled it on either CentOS or Fedora; the system tells you what’s going on if something’s going on, so there’s no immediate need to just disable it.
There’s a lot of myths around SELinux, and frankly, the NSA is the last institution on earth that I would ever trust, but it is sort of actually manageable on recent Fedora systems. Red Hat is investing in this, obviously, so it will be even more manageable in RHEL 6.
i ~was~ going to make the comment of “wow, Ubuntu has finally caught up to Fedora”, but it seems as if i would be late on doing so.
I ran Fedora for years (ever since 3), and I have just recently swapped over to Ubuntu, mainly because of the universe / multiverse repo. Fedora gets that in place, so I dont have to go adding in other RPM repos for good 3rd party apps, and I will come back.
Fedora 9 has repos combined now in rpm fusion.
Not that it was hard to do before. I installed all the repo’s in fedora 8 with 1 command (people have rpm’s for all the repos to be added)
apparmor is easier to administer and not such a penalty selinux has……
why isn’t that adopted more?
Well its commendable that Ubuntu has support for AppArmor and SELinux but it’s still far from matching Fedora and RHEL in the security department. SELinux is only a small part of the security package in Fedora and RHEL.
That said, Fedora and RHEL are far from matching Ubuntu’s sheer software selection.
Like all distributions there are trade-offs.
Don’t get over-excited about Ubuntu’s software selection, at least if security matters to you. Most of the packages in Ubuntu belong to the “universe” component that “comes with no guarantee of security fixes and support.”
http://www.ubuntu.com/community/ubuntustory/components
FUD much?
“””
Canonical does not provide a guarantee of regular security updates for software found in universe but will provide these where they are made available by the community.
“””
If your distro does not have the package, and you consequently compile from source, where does your guaranty of security updates come from? The community?
I don’t see how choosing a distro with smaller repos can be regarded as being safer. Less convenient, certainly. But not safer.
You’re accusing Canonical of spreading FUD?
I’d like to defend Canonical against your accusations. When Canonical announces that “Users should understand the risk inherent in using packages from the universe component”, they’re only doing the right thing, IMO.
There are basically two ways to keep a distro secure. Either you keep it up-to-date so that the security updates come directly from the upstream developers. Or if you don’t keep packages up-to-date, then you should provide security updates.
But Ubuntu doesn’t get version updates for six long months, and most of their packages don’t get any official security support. Using packages from the “universe” component is a definite security risk, and Canonical is doing the right thing in informing users about this risk.
So you should think twice before you criticize Canonical for doing the right thing. Shame on you.
You silly chicken.
Universe does get security updates. Just not guaranteed ones. Like Debian, the Universe updates are the responsibility of the community.
With the main Ubuntu repository, and (some) other distros’ repos, it is basically the same thing. Security updates are promised. Of course, some distros don’t promise anything at all.
Outside of that, you have to keep on top of updates yourself. It doesn’t matter if you compile it yourself or get it from Universe… except that with Universe you likely will have security updates. It’s just not guaranteed by Canonical, and is a best effort community venture. Debian depends entirely upon community effort. (I don’t recall Debian Corporation ever guaranteeing any dedicated corporate resources.)
And if you *don’t* get updates from Universe… you fall back to compiling from source… just like users of distro’s with smaller repos had to do in the first place with no hope of reprieve:
./configure… try to figure out what went wrong and why it’s not seeing that library that you *know* is there… make… try to figure out why configure didn’t catch that missing dependency, and where the hell do you find it, anyway? … make install… oops… su root… make install
Lather… rinse… repeat.
I don’t miss it.
I agree with many posters that the addition of SELinux will cause pain for those who wish to play with it. However it is a valuable addition, once you get your head around it you begin to realise that it really does provide a great deal of benefit to having a really secure system.
Is it for everyone – no. Is it good for Ubuntu – yes.
This sort of addition can only help in getting Ubuntu into the bigger data centers and corporate spaces.
Regards,
Peter
hackertarget.com