[opensuse-factory] Fixing SELinux on openSUSE
Hey all, One of the things that has been bothering me for a couple of years now is how broken the SELinux stack in openSUSE has been. I know that the SUSE distributions have supported AppArmor and SELinux with AppArmor as the default, but I was surprised to see how easy it was to break my system using the SELinux policy that openSUSE ships. To that end, I've started engaging with the upstream for Fedora's SELinux policy on getting the pieces in place for it to work on openSUSE. I've started work on porting the selinux-policy used in Fedora to openSUSE and collecting the delta of things to send upstream. Upstream was quite excited to hear about getting the policy in openSUSE and has been willing to help me in doing so. The good news is my local tests indicate that the system works quite a bit better as it is with selinux-policy from there. The bad news at the moment is that it's still not quite where I want it to be. I hope to get some initial work uploaded into OBS soon and proceed from there. If anyone is interested in assisting with this, let me know. I'd greatly appreciate help from the existing SELinux stack maintainers and anyone else interested in having working SELinux on openSUSE. Best regards, Neal -- 真実はいつも一つ!/ Always, there's only one truth! -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Mon, 2019-08-12 at 11:26 +0200, Neal Gompa wrote:
Hey all,
One of the things that has been bothering me for a couple of years now is how broken the SELinux stack in openSUSE has been. I know that the SUSE distributions have supported AppArmor and SELinux with AppArmor as the default, but I was surprised to see how easy it was to break my system using the SELinux policy that openSUSE ships.
To that end, I've started engaging with the upstream for Fedora's SELinux policy on getting the pieces in place for it to work on openSUSE. I've started work on porting the selinux-policy used in Fedora to openSUSE and collecting the delta of things to send upstream. Upstream was quite excited to hear about getting the policy in openSUSE and has been willing to help me in doing so.
The good news is my local tests indicate that the system works quite a bit better as it is with selinux-policy from there. The bad news at the moment is that it's still not quite where I want it to be. I hope to get some initial work uploaded into OBS soon and proceed from there.
If anyone is interested in assisting with this, let me know. I'd greatly appreciate help from the existing SELinux stack maintainers and anyone else interested in having working SELinux on openSUSE.
Best regards, Neal
Hi Neal, I think this is an awesome idea. I feel openSUSE really needs better SELinux support and I'd like to see SUSE as well as folks like you in the openSUSE community really driving this forward. Regards, -- Richard Brown Linux Distribution Engineer - Future Technology Team Chairman - openSUSE Phone +4991174053-361 SUSE Linux GmbH, Maxfeldstr. 5, D-90409 Nuernberg GF: Felix Imendörffer, Mary Higgins, Sri Rasiah HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 2019-08-12, 09:26 GMT, you wrote:
If anyone is interested in assisting with this, let me know. I'd greatly appreciate help from the existing SELinux stack maintainers and anyone else interested in having working SELinux on openSUSE.
I am not a big C programmer, but I have been using SELinux (and filing many many bugs to RedHat SELinux developers) while working for RedHat, and I would love to use SELinux again on openSUSE. I am willing to use Alpha-quality packages and file a lot of bugs whenever something doesn’t work. That’s probably the most I can do. Best, Matěj -- https://matej.ceplovi.cz/blog/, Jabber: mcepl@ceplovi.cz GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8 If we rise from prayer better persons, our prayers have been answered. -- a Jewish prayer book -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Mon, Aug 26, 2019 at 05:20:29PM +0200, Matěj Cepl wrote:
On 2019-08-12, 09:26 GMT, you wrote:
If anyone is interested in assisting with this, let me know. I'd greatly appreciate help from the existing SELinux stack maintainers and anyone else interested in having working SELinux on openSUSE.
I am not a big C programmer, but I have been using SELinux (and filing many many bugs to RedHat SELinux developers) while working for RedHat, and I would love to use SELinux again on openSUSE. I am willing to use Alpha-quality packages and file a lot of bugs whenever something doesn’t work. That’s probably the most I can do.
I don't have much experience with fixing stuff related to SELinux, but big +1 from me for the whole idea. I'd be happy to see SELinux support in openSUSE, use it and report any issues. Cheers, Michal -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Michal Rostecki <mrostecki@opensuse.org> writes:
On Mon, Aug 26, 2019 at 05:20:29PM +0200, Matěj Cepl wrote:
On 2019-08-12, 09:26 GMT, you wrote:
If anyone is interested in assisting with this, let me know. I'd greatly appreciate help from the existing SELinux stack maintainers and anyone else interested in having working SELinux on openSUSE.
I am not a big C programmer, but I have been using SELinux (and filing many many bugs to RedHat SELinux developers) while working for RedHat, and I would love to use SELinux again on openSUSE. I am willing to use Alpha-quality packages and file a lot of bugs whenever something doesn’t work. That’s probably the most I can do.
I don't have much experience with fixing stuff related to SELinux, but big +1 from me for the whole idea. I'd be happy to see SELinux support in openSUSE, use it and report any issues.
I too would love to see some SELinux support in openSUSE, but unfortunately my experience in this regard is very much non-existent. I could offer to create a vagrant box with SELinux enabled for simpler testing, if having something like that makes sense? Cheers, Dan -- Dan Čermák <dcermak@suse.com> Software Engineer Development tools SUSE Software Solutions Germany GmbH Maxfeldstr. 5 90409 Nuremberg Germany (HRB 247165, AG München) Managing Director: Felix Imendörffer
participants (5)
-
Dan Cermak -
Matěj Cepl -
Michal Rostecki -
Neal Gompa -
Richard Brown