Novell Acquires SELinux Alternative Immunix

G Money writes "Novell announced today that they acquired Immunix, a company the produces an alternative mandatory access control solution to SELinux using the LSM. For anyone who hasn't used both Immunix and SELinux, the difference between configuring them is like night and day. There's even a YaST module for configuration. (Disclaimer: I'm on the Defcon Immunix CTF team.)"

OT, But...

[poopdeville]

This was posted more than 20 minutes ago. Looks like nobody cares!

Re:OT, But...

Seems no-one cares that Debian "Sarge" has now been officially frozen either. I posted the news article hours and hours ago. Probably been dumped by Timothy.

Re:OT, But...

[gorre]

Sarge was frozen just over a week ago and slashdot ran the story at the time.

There are many alternatives to SELinux

[jd]

And that is a Good Thing. It is also good that at least one such alternative is now getting the backing of a major vendor.

What will likely transpire, over time, is that all of the different solutions solve a narrow set of problems very well, but other problems poorly. That is normal and nothing to be ashamed of. What will likely happen then is that ideas will be taken from all of them to form some hybrid that works well in all arenas.

This is perfectly normal in the Unix world. System V, BSD and other Unix-like kernels have done this for decades, because it is a very efficient way to build products.

The downside, for now, is that users may become confused by the range of options. So long as the defaults are sensible and the details as transparent as the user needs them, it shouldn't matter. That depends on how well Novell are in tune with Linux versus being different for the sake of having a conversation piece.

Re:There are many alternatives to SELinux

[PrivateDonut]

you mean like the automotive industry? where manufacturors make the differences between makes and models highly apparent so that customers, although presented with a huge variety, have no trouble finding the suitable vehicle for them.

Good Thing?

[hbo]

And that is a Good Thing.

A good thing is where your life becomes sweeter, funnier, easier or more pleasant in some way. Having two approaches to MAC pushed by the two leading Linux vendors makes my life (or the part I spend as a sysadmin) harder fer cryin' out loud!

What is it with Unix-like operating systems and non-primitive access control? Every Unix flavor adopted different approaches to "Red Book" security in the 1980s on top of the barely-adequate-for-academic-use Unix permissions model. Those that survived have never standardized in all those years. I really hate to see Red Hat and SuSE continue on that well-worn path. And before you say Open Source is different in this regard, take a look at the competing desktops. It's roughly 10 years that both major projects have been pursuing seperate paths. And freedesktop.org proves the point. They are expending an awful lot of effort to bridge the gap those competing projects dug between themselves.

Competing approaches are fine for research into the best way to get things done. They are also a spur to development of different approaches. But MAC is not new computer science that needs researching. And choice is often actually the enemy in a production business computing environment.

Bah!

Re:Good Thing?

[T-Ranger]

While SuSE was a big developer/user/promoter of KDE, Ximian was the single biggest developer/user/promoter of Gnome. Currently, it seems that Novell has decided they are both wrong, and is going with Mono. Sadly, I am only half joking.

As for MAC, not even hearing of this thing before today, Im going to side with Novell. SELinux was developed at the NSA as a research project. While Im not saying that security is the opposite of usability, it is fair to say that a NSA research project is about as far detached from the requirements of reality as you can get. Novell, Netware, NDS, NSS, they have forgotten more about security and the real world - the real business world, then RedHat knows. Novell could taken SELinux for free, NDS-ized it, iManaged-ized it, YaST-ized it and made it distinct from any RH offering. But they went out of their way to buy a system that compeats with SELinux. Either it is significantly better today, or it will more easily be N-ized tomorrow, so it will be radically better next year.

Re:Good Thing?

[Jack+Taylor]

A good thing is where your life becomes sweeter, funnier, easier or more pleasant in some way.

What about other people's lives?

Re:Good Thing?

I'm a Novell partner selling Linux solutions.

The problem seems to be that Novell are unable or unwilling to make a decision regarding KDE or Gnome. While Gnome is regarded as a more enterprise solution (not many things to tweak is good in that environment), KDE shows amazing progress between point versions. Even though they say they support both, that is not correct. For example, by default, NLD9 comes with the red carpet applet in Gnome but not in KDE. Firefox and Evolution are completely GNOMEified - that is true for all distros but please remember what NLD9 is supposed to be.

They have a very strong strategy on the top end, with the only piece missing being is a GOOD Novell Client. OES is amazing and SLES9 is extremely well positioned. But most important of all is, in my opinion the SBS product, Server and Desktop in one package.

Novell are on a class of their own Linuxwise, Redhat cannot even touch them.

Re:Good Thing?

[Uncle+Warthog]

I'm a Novell partner selling Linux solutions.

The problem seems to be that Novell are unable or unwilling to make a decision regarding KDE or Gnome.

So am I.

What I don't see is why this is a problem. In my mind, the problem is that they are trying to decide at all. I suspect that the real problem is that the Ximian folks are having too much input into Novell's Linux operations (if not all operations) in general. (It might explain some of the recent rash of Novell departures as well.)

There are good reasons for both KDE and Gnome as GUI options. KDE can be tweaked almost as well as Gnome can (though not quite as easily) and that functionality is getting better quickly. I've found that, once up and running, Gnome seems to be more CPU-hungry and more unstable than current KDE versions. I've found KDE to be a bit too flashy (i.e. too much eye-candy). My current preference is for KDE with a simpler window theme and most of the eye-candy shut off.

As far as applications go, Evolution and Firefox run just fine under KDE as long as the libraries they need are loaded. Also, please keep in mind that there are plenty of alternative browsers to Firefox and plenty of alternative mail clients / PIMs to Evolution (GroupWise, with it's Linux client, comes to mind here for some strange reason....)

Re:Good Thing?

[hbo]

If your life get's sweeter, simpler etc. as a result of ths change, then you are entitled not to bitch about it. 8)

Re:Good Thing?

[Jack+Taylor]

Hmm, but that doesn't work in all cases. For example, what if you were in line a get inheritance from your rich uncle, and so you killed him, got the money, and managed to not get caught. That's all fine and dandy for you, but it's obviously not very nice for him... Of course, most people would do the ethical thing and *not* kill him. But this is getting silly now ;)

Car/Computer analogies suck

No, because the government requires 100% of automobiles to be "compatible" with 100% of roads and 100% of gas stations. The computer industry doesn't work that way.

Furthermore, there's one car company that has 80% of the market and makes exactly one vehicle (in different trim levels). The more diverse and incompatible all of the other cars are, the less likely they can appeal to owners of the monopoly cars.

A picture might be worth a thousand words

[Radical+Rad]

Is there a screenshot anywhere of the YaST module used for configuration? I read the LSM pages and I think I have an idea of what it does but not how to manage it. Are the access control models applied to processes themselves or to the accounts running the processes? So if I wanted to allow the system user to change the time would I configure the date program to be able to do this or the user account in which case he could use any program which could change the system clock.

And since the framework consists of stackable modules, how do you configure permissions for an arbitrary module with unknown capabilities? Must each module author also write a YaST module to configure it? Can I set one user to be able to open sockets on low ports but allow a different user to only open high ports and only when the protocol is http? Or can I set a user to follow a symbolic link but only if it points to a CD mounted by root? Or am I misunderstanding what the LSM does?

Re:A picture might be worth a thousand words

[jd]

My (limited) understanding is that you set up an association. So, in your case, you'd want the user to have access to the date program AND the system clock, and the date program itself to also have access to the system clock.

The user then runs the program. The system determines that this is legit. The program then tries to set the date. The system checks to see if the program is authorized (in this case, it is) and if the user is also authorized (again true in this case). The system then allows the transaction.

Mandatory access controls originated with the military, where classified information could not be exposed to an environment or user of improper classification. You should never have a top secret file delivered to an unclassified machine, regardless of who is using it, for example. Nor should that file be saent to someone who was of a lower clearance, no matter what clearance the system they were using.

Pretty well nearly all systems developed since then have understood that for mandatory access controls to work, you need to apply them to ALL parts of the system. This makes MACs cumbersome, as you have a lot of checking going on. The problem with MAC is less "how do we build it" and more "how do we build it so someone can use it". That's where the problem lies.

Frontend?

[ultrabot]

Is the difference in configuration due to a better front end in Immunix, or some more fundamental flaw in SELinux? What's wrong with SELinux, and why can't it be fixed instead?

Immunix

[Sunspire]

Is Immunix open source? If it is not, I'd rather learn an open system like SELinux that I can use on any distribution rather than tying my skillset to something Novell specific.

Also the point about configuration is not that important in my mind. With SELinux the vendor is supposed to provide the policy so that everything works out of the box. When properly implemented, all your services will benefit from the MAC protection without you even noticing it. Once SELinux is sufficiently integrated into an distribution it should be almost transparent. Administrators may need to read up a bit on extended attributes, roles and file labeling, but for an ordinary user this is simply not an issue.

I really question if this was a good move on Novell's part. I hope they're not going down this road just to be different from Red Hat.

Re:Immunix

[turbidostato]

"I hope they're not going down this road just to be different from Red Hat."

Red Hat is market leader (within this niche). Were Novell/SuSE just the same as Red Hat why anyone would choose them?

It is not only that Novell wants to be different, it is that they *need* to be different.

Re:Immunix

[hbo]

Sadly, I think you are right about that. Although I think Novell/SuSE is well enough differentiated through their approach to usability. The problem I see with this is, it's the same thinking that drove the Unix vendors to implement dozens of solutions for every single problem, each in the name of "adding value to" or "differentiating" their offering from all the others. This led famously to balkanization of the technical computing market, and ultimate failure in the battle with Microsoft for domination of the desktop. I see Microsoft potentially benefitting from the same phenomenon here.

I don't know much about Immunix. It may bring things to the table beyond what SELinux offers. But if it just solves the same problems, then I reserve my right to bitch about it, and to point out the history of Unix as a cautionary tale.

Re:Immunix

[turbidostato]

"The problem I see with this is, it's the same thinking that drove the Unix vendors to implement dozens of solutions for every single problem"

Yes, but this is much more about "perception" than about "reality". While it is true that any unix vendor tried to diferenciate themselves in order to gain market oportunity and that was called "The Unix Wars", it is even truer that Microsoft was always much much more different to anyone of those than any two others, and Microsoft made tons of money out of those differences. Still, noone seems to take care about Microsoft's differences and even call them "de facto standard". Now: if differences among unix vendors was what gave chance to Microsoft to gain the position it holds today, why can anyone say this is because the differences among unices when Microsoft were the most different among them?

"the history of Unix as a cautionary tale"

No doubt about that. The question is, can you tell me again what exactly the story is?

Remember: it is not unix against windows; it is IBM against Sun against HP against Microsoft against Red Hat against Novell against...

Re:Immunix

[hbo]

"The question is, can you tell me again what exactly the story is?"

Once upon a time ...

Story meanings depend in complicated ways on both the teller and listener. But briefly, from my point of view, there was a time in the late 1980s when it looked like Unix workstation vendors might reach down into the commodity PC market and seriously challenge Microsoft for dominance there. Intel CPUs were getting faster and more capable, and it was thought that Unix would soon be viable running on cheap commodity PCs. This may have been a vain hope to start with, given the fact that the Unix vendors had little idea of how to create systems that were usable by the average PC owner, but the fact that there were half a dozen "differentiated" flavors of Unix was a more immediate cause of failure in this regard, at least according to my version of the story.

Re:Immunix

[turbidostato]

"Once upon a time ..."

Yeah, I know your version of the story (which is the "usual one"), and that's exactly what I was challenging.

You say "...there was a time in the late 1980s when it looked like Unix workstation vendors might reach down into the commodity PC market and seriously challenge Microsoft for dominance there"

And I say there's nothing as "The Unix Vendors": there exists SCO, and HP, and Sun, and Microsoft, and IBM, and a lot of others wanting to make themselves millionaires. And that's the point: *themselves*. IBM wanted making Sun millionarie no more than Microsoft wanted SCO being rich, so it is not "The Unix Vendors vs Microsoft"; it is "each vendor against each other".

Then, there was the new pristine market name "commodity PC". In theory any vendor could take out its piece of the cake, but it was Microsoft due to luck and/or successful marketing practices the one that ate it all.

"...the fact that there were half a dozen "differentiated" flavors of Unix was a more immediate cause of failure"

And I say: not at all, since it is impossible. As I said, the PC market was a pristine new one and its users knew nothing about how looked this product or the other. In fact, almost no Microsoft user knew he could install any other OS in his computer this having nothing to do with how similar or different were those other products among themselves. As a matter of fact, you say that, say, Sun failed to gain the PC market because Solaris was different to HP-Ux, but that's simply a non-sense: if that were the fact, why PC-DOS (exactly identical to Ms-DOS) failed too? Why OS/2, which didn't resemble any of those Unix, failed too?

In fact, seeing that no Microsoft product from these days were the best one could choose (not that this has changed nowadays) I stay that "The Unix Wars" had nothing to do with those vendors inability to take their piece of the PC cake, but their marketing inability: some of them failed in seeing sooner the PC was going to be a profitable market and stayed with their "big iron"; some of them failed to convince the people their product was the one they need... and even others, managed to gain a stable, profitable piece at least for a while, like Novell and SCO did.

The SCO case is specially enligthning: it offered one of those unix so unable to gain the PC market niche due to "The Unix Wars", but the case is that SCO *DID* manage to take its own piece of the PC cake, and managed to be quite profitable, at least till Linux killed them. Even more interestingly SCO's unices were with AIX the ugliest of the whole lot! And this hadn't too much to do with their success or failure.

SELinux importance to the average user:

[suitepotato]

...not much. Two boxes running FC3 wit SEL, and neither one has caused me to do any SEL-specific twiddling during any of my configurations, updates, etc. if SEL is doing anything at all for my machines, it's not making itself obtrusive enough to even notice it.

Okay, so maybe that can be taken to mean it ain't working at all so after a couple intrusive checks later tonight, if I find it still working and doing its thing properly, then I'll just ignore this whole thing. Nice that Novell is taking security seriously. Nice that there's an alternative method and system. Total impact on me: none whatsoever at the moment.

Either way beats the fark out of anything from MS though. Nothing security related is unobtrusive unless it isn't working on Windows. Hmmm... Better go check on the SEL asap...

Uh oh

[rsax]

What does this mean for Novell software running on Red Hat Enterprise Linux? Right now they only support GroupWise and eDirectory if you are using RHEL 3 or 2.1 because RHEL4 has SELinux and Novell hasn't figured out a way to officially support their products on that platform. This was directly from a Novell support representative. Now if they are not choosing SELinux at all for SUSE then how long before they totally ditch RHEL as a supported option for eDirectory, GroupWise or any of their other software?