From the security perspective one thing would be really interesting: SELinux support
openSUSE release 11.1 will be available in a few ticks. I tried the beta5 and RC1 and it seems that 11.1 will run fast, stable and comes with a good set of new software.
11.1 comes with all necessary patches to enable SELinux but unfortunately it does not run by default. I hope to change it for 11.2.
The following steps are needed to enable SELinux on openSUSE 11.1.
- patching mkinitrd to mount /proc
- add boot parameters
- install the selinux-refpolicy RPM files, libraries and tools, mkdir /selinux
- create a config file
To allow the init process to load the SELinux policy the /proc filesystem has to be mounted very early. This can be done as part of the booting process that happens with the initrd ramdisk. All you need to do is adding the line "/root/usr/bin/chroot /root /bin/mount /proc" to /lib/mkinitrd/scripts/boot-boot.sh (see git.opensuse.org for the patch). After you modified the script just run mkinitrd to replace the old initrd in /boot.
(Note: the script /etc/init.d/boot will try to mount /proc again and fails, you can remove the lines if you like)
Update: The line to be added was updated to "/bin/mount /root/proc" (see git and patch)
2. boot parameter
Two boot parameters are needed: selinux and enforcing.
Just use yast2 -> System -> Boot Loader to modify the "Optional Kernel Command Line Parameter" field by adding "selinux=1 enforcing=0" (enforcing should enabled after all policies work smoothly)
3. reference policies
openSUSE 11.1 does not come with default policies but you can add the SELinux openSUSE_Factory repo that provides you with the following RPM files:
4. config file
The SELinux config file is at "/etc/selinux/config" and should have the following content:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
Reboot your machine. Log in as root and run setstatus the output should be:
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 23
Policy from config file: refpolicy-standard
Now that should be all. Let me know if it does not work or if you have other comments.