OSNews

Likely not in the short term. When Fedora adopted SELinux in Fedora Core 2 it caused a lot of issues and ended up being disabled by default. Then a targeted policy was designed with just about a dozen programs for Fedora Core 3 and then enabled by default.

Over a period of 6 releases, a lot of policy development, additional tools development, performance etc has been done where it has slowly gotten into the stage where most of the thorny issues are resolved and it works seamlessly for quite a large number of users

Ubuntu (and any other distros) introducing SELinux even disabled by default currently is a good first step before getting rest of the programs working together with SELinux which is actually the bigger part of the integration work that needs to be done. They could probably benefit a lot from adopting policies and tools development done within Fedora and making adjustments where necessary. More distributions adopting this technology is good for improving the overall state of security in Linux since writing policies tends to expose potentially security issues and if you end up disabling SELinux for some programs or even entirely you still get a lot of the residue benefits from it.

James Morris, one of the Red Hat SELinux developer posted his thoughts on

http://james-morris.livejournal.com/27494.html

Edited 2008-03-19 23:54 UTC

SELinux in Fedora already covers desktop quite well including programs like HAL. In Fedora 9, Xorg will have a SELinux framework and browser integration is being developed too.

http://danwalsh.livejournal.com/15700.html#cutid1

My impression is that SELinux is not the sort of thing that you can throw into the repository and say "Hey! Now we have SELinux!". It's taken Fedora 7 releases, and 4 years to get it to where it is now in their distros. (And it still needs some work or we wouldn't still see so many "discussions" about whether its reasonable to turn it off.) Even the most optimistic among us would not try to argue that it was ready before FC6, which would make it 5 releases and 3 years.

Frankly, I'd like to see SELinux/Fedora go head to head with AppArmor/Ubuntu and see which one comes out on top in real world competition. IMO, too many are ready to summarily declare SELinux the victor.

Edited 2008-03-20 14:24 UTC

Even "disabled", it's still impacting performance unless you manually add "selinux=0" to your kernel boot string. SELinux is kind of like lice. Once your machine is infested, it's very difficult to really get rid of it.

I sense a little dichotomy here. If it's as simple as adding selinux=0 to your kernel boot string, where's the "very difficult" bit?
Not a rhetorical question, I frankly have no idea of kernel level SELinux mechanisms.

The "difficult" bit (perhaps "tricky" might have been a better term) is knowing that you can't just disable it and have it really be out of the way. "Disabling" SELinux during the install, or afterward, merely causes it not to load a policy. I imagine that most people who think they have it disabled really don't, not realizing that you have to manually edit grub.conf to add the right string after every kernel upgrade to avoid the "SELinux tax" on performance.

Edited 2008-03-20 12:16 UTC

I've heard that trick before.

Doesn't that switch have to be compiled into the kernel to work?

Do you have a source for that?
My Google-fu failed me - I just find information about the performance loss when actually using it.

As I recall it is in the FC5 SELinux FAQ.

You are apparently relying on very outdated information. This was true on Fedora Core 2 but not on the recent releases. There should no performance difference in between disabling it via the configuration or using the boot loader option.

No you're not because SELinux troubleshooting has been further refined all the time since Fedora 6.

Although one might argue that most desktop users don't really need SELinux, I have never disabled it on either CentOS or Fedora; the system tells you what's going on if something's going on, so there's no immediate need to just disable it.

There's a lot of myths around SELinux, and frankly, the NSA is the last institution on earth that I would ever trust, but it is sort of actually manageable on recent Fedora systems. Red Hat is investing in this, obviously, so it will be even more manageable in RHEL 6.

Fedora 9 has repos combined now in rpm fusion.
Not that it was hard to do before. I installed all the repo's in fedora 8 with 1 command (people have rpm's for all the repos to be added)

Don't get over-excited about Ubuntu's software selection, at least if security matters to you. Most of the packages in Ubuntu belong to the "universe" component that "comes with no guarantee of security fixes and support."
http://www.ubuntu.com/community/ubuntustory/components

FUD much?

"""
Canonical does not provide a guarantee of regular security updates for software found in universe but will provide these where they are made available by the community.
"""

If your distro does not have the package, and you consequently compile from source, where does your guaranty of security updates come from? The community?

I don't see how choosing a distro with smaller repos can be regarded as being safer. Less convenient, certainly. But not safer.

You're accusing Canonical of spreading FUD?

I'd like to defend Canonical against your accusations. When Canonical announces that "Users should understand the risk inherent in using packages from the universe component", they're only doing the right thing, IMO.

There are basically two ways to keep a distro secure. Either you keep it up-to-date so that the security updates come directly from the upstream developers. Or if you don't keep packages up-to-date, then you should provide security updates.

But Ubuntu doesn't get version updates for six long months, and most of their packages don't get any official security support. Using packages from the "universe" component is a definite security risk, and Canonical is doing the right thing in informing users about this risk.

So you should think twice before you criticize Canonical for doing the right thing. Shame on you.

You silly chicken.

Universe does get security updates. Just not guaranteed ones. Like Debian, the Universe updates are the responsibility of the community.

With the main Ubuntu repository, and (some) other distros' repos, it is basically the same thing. Security updates are promised. Of course, some distros don't promise anything at all.

Outside of that, you have to keep on top of updates yourself. It doesn't matter if you compile it yourself or get it from Universe... except that with Universe you likely will have security updates. It's just not guaranteed by Canonical, and is a best effort community venture. Debian depends entirely upon community effort. (I don't recall Debian Corporation ever guaranteeing any dedicated corporate resources.)

And if you *don't* get updates from Universe... you fall back to compiling from source... just like users of distro's with smaller repos had to do in the first place with no hope of reprieve:

./configure... try to figure out what went wrong and why it's not seeing that library that you *know* is there... make... try to figure out why configure didn't catch that missing dependency, and where the hell do you find it, anyway? ... make install... oops... su root... make install

Lather... rinse... repeat.

I don't miss it.