General direction of MAC in TW?
I realize that Tumbleweed supports both Apparmor and SELinux. I have not installed Aeon or Kalpa, but it sounds like SELinux is the default. In terms of security contributions to Tumbleweed (and its downstreams), is their a general preference toward one or the other MAC's? -- Tony
On Wed, Dec 20, 2023 at 1:10 AM Tony Walker <tony.walker.iu@gmail.com> wrote:
I realize that Tumbleweed supports both Apparmor and SELinux. I have not installed Aeon or Kalpa, but it sounds like SELinux is the default. In terms of security contributions to Tumbleweed (and its downstreams), is their a general preference toward one or the other MAC's?
The general preference toward the one or other MAC depends on the use case. There is no "AppArmor is always better" or "SELlinux is always better". Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect, Future Technologies SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nuernberg, Germany Managing Director: Ivo Totev, Andrew McDonald, Werner Knoblich (HRB 36809, AG Nürnberg)
On Tue, Dec 19, 2023 at 07:09:43PM -0500, Tony Walker wrote:
I realize that Tumbleweed supports both Apparmor and SELinux. I have not installed Aeon or Kalpa, but it sounds like SELinux is the default. In terms of security contributions to Tumbleweed (and its downstreams), is their a general preference toward one or the other MAC's?
SUSE will be moving to SELinux over time. I can't speak for the openSUSE project overal, but everything we consume from SUSE will use SELinux going forward, so I expect that openSUSE will head in a general direction. Johannes -- GPG Key EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0 Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66 SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nürnberg, Germany Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich (HRB 36809, AG Nürnberg)
On 12/20/23 04:40, Johannes Segitz wrote:
I realize that Tumbleweed supports both Apparmor and SELinux. I have not installed Aeon or Kalpa, but it sounds like SELinux is the default. In terms of security contributions to Tumbleweed (and its downstreams), is their a general preference toward one or the other MAC's? SUSE will be moving to SELinux over time. I can't speak for the openSUSE
On Tue, Dec 19, 2023 at 07:09:43PM -0500, Tony Walker wrote: project overal, but everything we consume from SUSE will use SELinux going forward, so I expect that openSUSE will head in a general direction.
Johannes
When that happens will existing installs using Apparmor be migrated to SELinux ? -- Regards, Joe
On 12/20/23 11:02, Joe Salmeri wrote:
On 12/20/23 04:40, Johannes Segitz wrote:
I realize that Tumbleweed supports both Apparmor and SELinux. I have not installed Aeon or Kalpa, but it sounds like SELinux is the default. In terms of security contributions to Tumbleweed (and its downstreams), is their a general preference toward one or the other MAC's? SUSE will be moving to SELinux over time. I can't speak for the openSUSE
On Tue, Dec 19, 2023 at 07:09:43PM -0500, Tony Walker wrote: project overal, but everything we consume from SUSE will use SELinux going forward, so I expect that openSUSE will head in a general direction.
Johannes
When that happens will existing installs using Apparmor be migrated to SELinux ?
If I can jump in here, I don't think it's practical to port Apparmor controls to SELinux. SELinux is much more complicated and comprehensive than Apparmor, if I'm not mistaken. I remember looking at this years ago and the consensus then was that while SELinux does a better job than Apparmor, it can do that only if it's properly configured and maintained. It was difficult enough that many admins didn't do it correctly, meaning that the simpler-to-run Apparmor gives better net security in practice. That being said, SELinux is more accepted, if not required, by large organizations like the US Department of Defense, for Linux hosts. Regards, Lew
On 12/20/23 14:36, Lew Wolfgang wrote:
On 12/20/23 11:02, Joe Salmeri wrote:
On 12/20/23 04:40, Johannes Segitz wrote:
I realize that Tumbleweed supports both Apparmor and SELinux. I have not installed Aeon or Kalpa, but it sounds like SELinux is the default. In terms of security contributions to Tumbleweed (and its downstreams), is their a general preference toward one or the other MAC's? SUSE will be moving to SELinux over time. I can't speak for the openSUSE
On Tue, Dec 19, 2023 at 07:09:43PM -0500, Tony Walker wrote: project overal, but everything we consume from SUSE will use SELinux going forward, so I expect that openSUSE will head in a general direction.
Johannes
When that happens will existing installs using Apparmor be migrated to SELinux ?
If I can jump in here, I don't think it's practical to port Apparmor controls to SELinux. SELinux is much more complicated and comprehensive than Apparmor, if I'm not mistaken. I remember looking at this years ago and the consensus then was that while SELinux does a better job than Apparmor, it can do that only if it's properly configured and maintained. It was difficult enough that many admins didn't do it correctly, meaning that the simpler-to-run Apparmor gives better net security in practice.
That being said, SELinux is more accepted, if not required, by large organizations like the US Department of Defense, for Linux hosts.
Regards, Lew
When I installed TW ( originally years ago ) and then again on the new PC I built last month, it installed Apparmour both times by default. I have not done anything with the Apparmour config other than let TW update what it needs to when I do the zypper dup. If a new TW install some day starts to install SELinux by default, it would be nice if older installs would be migrated to SELinux as part of the update process. At a minimum it would seem that at least some wiki article should be provided for how to do it, but it seems like if the end user hasn't changed anything from the default Apparmour setup that some migration process would be appropriate. I'm sure many would not know how to migrate... -- Regards, Joe
On Wed Dec 20, 2023 at 8:36 PM CET, Lew Wolfgang wrote:
That being said, SELinux is more accepted, if not required, by large organizations like the US Department of Defense, for Linux hosts.
Which is, if I understand it correctly, one of the main reasons why SUSE switches gradually to SELinux. Matěj -- http://matej.ceplovi.cz/blog/, @mcepl@floss.social GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8 I am certain there is too much certainty in the world. -- Michael Crichton
On Wed, Dec 20, 2023, 2:37 PM Lew Wolfgang <wolfgang@sweet-haven.com> wrote:
On 12/20/23 11:02, Joe Salmeri wrote:
On 12/20/23 04:40, Johannes Segitz wrote:
I realize that Tumbleweed supports both Apparmor and SELinux. I have not installed Aeon or Kalpa, but it sounds like SELinux is the default. In terms of security contributions to Tumbleweed (and its downstreams), is their a general preference toward one or the other MAC's? SUSE will be moving to SELinux over time. I can't speak for the openSUSE
On Tue, Dec 19, 2023 at 07:09:43PM -0500, Tony Walker wrote: project overal, but everything we consume from SUSE will use SELinux going forward, so I expect that openSUSE will head in a general direction.
Johannes
When that happens will existing installs using Apparmor be migrated to SELinux ?
If I can jump in here, I don't think it's practical to port Apparmor controls to SELinux. SELinux is much more complicated and comprehensive than Apparmor, if I'm not mistaken. I remember looking at this years ago and the consensus then was that while SELinux does a better job than Apparmor, it can do that only if it's properly configured and maintained. It was difficult enough that many admins didn't do it correctly, meaning that the simpler-to-run Apparmor gives better net security in practice.
That being said, SELinux is more accepted, if not required, by large organizations like the US Department of Defense, for Linux hosts.
Regards, Lew
My experience is similar and why I have used AppArmor over the years. I am happy to learn more about SELinux. I just don't want to do both. What prompted my question is a talk or post by Mr. Brown where he said he needed help building SELinux support into Aeon.
participants (6)
-
Joe Salmeri -
Johannes Segitz -
Lew Wolfgang -
Matěj Cepl -
Thorsten Kukuk -
Tony Walker