Well there was a lot of work done regarding SELinux this week.
The first step was to bring the next milestone of 11.3 to the level of 11.2 by adding load_policy to the mkinitrd scripts. The patch was submitted to Base:System a few hours ago. This work-around was needed because we switched to upstart which does not contain native C API calls to libselinux to load the policy from within init.
The next step fixed the file permissions of /etc/selinux/config to be 644 and to add some functionality to the selinux-ready script. Both are in security:SELinux now and on their way to opensuse:Factory.
The last essential problem to solve was enabling pam_selinux and disabling pam_apparmor when you choose "Enable SELinux" in the yast2 bootloader menu. Mission accomplished. Jozef submitted a fresh new yast2-bootloader package (2.19.11) to OBS.
Update: I submitted a new version of the selinux-ready script a few seconds ago to verify if restorecond was enabled in runlevel 3 and/or 5.
Note: Without a working policy for openSUSE and more beta-testers SELinux is still no option for common users.
Far from perfect but a little step ahead! Thanks to everyone involved.
4 comments:
I just wanted to say thanks for your work on integrating SELinux.
Regarding the help, could you please do some "How to get started with SELinux" post explaining how to "get started", what is supposed to work, common road blocks and what needs to be tested cause it´s currently quite a black hole for me what is supported / should work and what not.
Thanks a lot :)
Good idea!
I think I will enhance http://en.opensuse.org/SELinux to answer common questions.
Thomas
So is SELinux going to supplant AppArmor in SUSE Linux going forward?
AFAIK there exists no plan to replace AA. It is still our default "security mechanism".
Post a Comment