On 6/17/19 5:07 PM, Stephen Smalley wrote: > On 6/17/19 4:23 AM, Neal Gompa wrote: >> On Mon, Jun 17, 2019 at 4:03 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> >> wrote: >>> >>> On Thu, Jun 13, 2019 at 1:59 PM Jason Long <hack3rcon@xxxxxxxxx> wrote: >>>> Thanks, but I meant was can AppArmor cause no Linux distro use >>>> SELinux anymore and use AppArmor instead of SELinux? >>> >>> Why would you want to do that? What benefit would it bring to Fedora? >>> >> >> To be blunt, the poor adoption of SELinux in other distros is largely >> because the reference SELinux policy maintained by Tresys doesn't work >> at all. I wish Red Hat SELinux engineers would reach out to other >> distros and help them transition to our SELinux policy >> implementation[1], because it actually _works_. >> >> For example, SUSE supports SELinux and AppArmor, but the >> selinux-policy package they have is based on refpolicy, which is >> horribly broken. Someone should work with them to migrate to the >> fedora-selinux policy. >> >> In Debian, they've been so paralyzed about how to do security in the >> first place, they did nothing for over a decade. They have a hard time >> making any kind of decision. >> >> Ubuntu had an SELinux expert over a decade ago, but he moved to Google >> and wrote the SELinux policies for Chrome OS and Android, as both use >> SELinux. >> >> If Red Hat were to help other distros support SELinux using our policy >> and our enhanced tools, then the community around SELinux would be >> much stronger and there'd be much more usage and upstream support for >> it due to the higher exposure. >> >> [1]: https://github.com/fedora-selinux/selinux-policy > > I'm certainly in favor of encouraging wider adoption and use of SELinux > by other distros, but I'm not sure about your assessment of the root > causes of the current lack of support or how to address them. > > I haven't looked in a while, but at least at some point, SUSE was in > effect just cloning the Fedora SELinux-related packages along with all > of their patches. That wasn't really the problem. I think the problem > is that SELinux support is not a first class feature of SUSE, isn't part > of their QA process, and isn't getting any testing or help from their > other developers or users beyond whoever maintains the SELinux-related > packages (and maybe not even by that person beyond a token "does it > still boot" test). Even if they use Fedora's policy (if they aren't > already), they will still need some policy adaptation for their > particular distro distinctives and they will still need a developer and > user community that is actively testing and maintaining it. The latter > is not something Red Hat or others can really provide for them > externally; it has to come from within. > Agree here. I like to see more distros using fedora selinux-policy as deault SELinux policy. But as Stephen mentioned, it has to come from within. From my POV, I like that refpolicy is more strict then fedora selinux policy, because both policies could be used for different use cases. If there is any possible cooperation with Ubuntu or SUSE on SELinux, I'm more then happy to discuss possibilities. Lukas. > With respect to Android, I just wanted to clarify the history there: we > created the original Android SELinux reference implementation including > policy and userspace bits and got it adopted into Android via the > Android Open Source Project [1]. No one from Ubuntu was ever involved > to my knowledge. The Android security team did a great job integrating > it and then building upon it in every subsequent Android release, but > I'm not aware of any connection to Ubuntu. ChromeOS has only gained > SELinux support recently as a side effect of adding the Android > container support. There is work in progress to expand that support to > the rest of ChromeOS but that is also being led by someone previously > involved in the Android SELinux integration, not someone from Ubuntu. In > any event, the key to the long term viability and success of Android > SELinux support is that it is a first class feature (actually a > mandatory feature of Android), is part of their standard testing > processes, and gets wider testing and help from the entire Android team > and ecosystem. > > [1] http://selinuxproject.org/page/SEAndroid > _______________________________________________ > selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx > -- Lukas Vrabec Senior Software Engineer, Security Technologies Red Hat, Inc.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
