Novell Acquires SELinux Alternative Immunix

G Money writes "Novell announced today that they acquired Immunix, a company the produces an alternative mandatory access control solution to SELinux using the LSM. For anyone who hasn't used both Immunix and SELinux, the difference between configuring them is like night and day. There's even a YaST module for configuration. (Disclaimer: I'm on the Defcon Immunix CTF team.)"

OT, But...

[poopdeville]

This was posted more than 20 minutes ago. Looks like nobody cares!

There are many alternatives to SELinux

[jd]

And that is a Good Thing. It is also good that at least one such alternative is now getting the backing of a major vendor.

What will likely transpire, over time, is that all of the different solutions solve a narrow set of problems very well, but other problems poorly. That is normal and nothing to be ashamed of. What will likely happen then is that ideas will be taken from all of them to form some hybrid that works well in all arenas.

This is perfectly normal in the Unix world. System V, BSD and other Unix-like kernels have done this for decades, because it is a very efficient way to build products.

The downside, for now, is that users may become confused by the range of options. So long as the defaults are sensible and the details as transparent as the user needs them, it shouldn't matter. That depends on how well Novell are in tune with Linux versus being different for the sake of having a conversation piece.

Good Thing?

[hbo]

And that is a Good Thing.

A good thing is where your life becomes sweeter, funnier, easier or more pleasant in some way. Having two approaches to MAC pushed by the two leading Linux vendors makes my life (or the part I spend as a sysadmin) harder fer cryin' out loud!

What is it with Unix-like operating systems and non-primitive access control? Every Unix flavor adopted different approaches to "Red Book" security in the 1980s on top of the barely-adequate-for-academic-use Unix permissions model. Those that survived have never standardized in all those years. I really hate to see Red Hat and SuSE continue on that well-worn path. And before you say Open Source is different in this regard, take a look at the competing desktops. It's roughly 10 years that both major projects have been pursuing seperate paths. And freedesktop.org proves the point. They are expending an awful lot of effort to bridge the gap those competing projects dug between themselves.

Competing approaches are fine for research into the best way to get things done. They are also a spur to development of different approaches. But MAC is not new computer science that needs researching. And choice is often actually the enemy in a production business computing environment.

Bah!

Re:Good Thing?

[T-Ranger]

While SuSE was a big developer/user/promoter of KDE, Ximian was the single biggest developer/user/promoter of Gnome. Currently, it seems that Novell has decided they are both wrong, and is going with Mono. Sadly, I am only half joking.

As for MAC, not even hearing of this thing before today, Im going to side with Novell. SELinux was developed at the NSA as a research project. While Im not saying that security is the opposite of usability, it is fair to say that a NSA research project is about as far detached from the requirements of reality as you can get. Novell, Netware, NDS, NSS, they have forgotten more about security and the real world - the real business world, then RedHat knows. Novell could taken SELinux for free, NDS-ized it, iManaged-ized it, YaST-ized it and made it distinct from any RH offering. But they went out of their way to buy a system that compeats with SELinux. Either it is significantly better today, or it will more easily be N-ized tomorrow, so it will be radically better next year.

Re:A picture might be worth a thousand words

[jd]

My (limited) understanding is that you set up an association. So, in your case, you'd want the user to have access to the date program AND the system clock, and the date program itself to also have access to the system clock.

The user then runs the program. The system determines that this is legit. The program then tries to set the date. The system checks to see if the program is authorized (in this case, it is) and if the user is also authorized (again true in this case). The system then allows the transaction.

Mandatory access controls originated with the military, where classified information could not be exposed to an environment or user of improper classification. You should never have a top secret file delivered to an unclassified machine, regardless of who is using it, for example. Nor should that file be saent to someone who was of a lower clearance, no matter what clearance the system they were using.

Pretty well nearly all systems developed since then have understood that for mandatory access controls to work, you need to apply them to ALL parts of the system. This makes MACs cumbersome, as you have a lot of checking going on. The problem with MAC is less "how do we build it" and more "how do we build it so someone can use it". That's where the problem lies.

Frontend?

[ultrabot]

Is the difference in configuration due to a better front end in Immunix, or some more fundamental flaw in SELinux? What's wrong with SELinux, and why can't it be fixed instead?

Re:Immunix

[turbidostato]

"I hope they're not going down this road just to be different from Red Hat."

Red Hat is market leader (within this niche). Were Novell/SuSE just the same as Red Hat why anyone would choose them?

It is not only that Novell wants to be different, it is that they *need* to be different.