SUSE Linux to come with SELinux
The next releases of SUSE Linux, OpenSUSE 11.1 and SUSE Linux Enterprise 11 (SLES), will see the security extension SELinux moving into the SUSE distribution. SUSE's current security extension, AppArmour, will remain enabled by default. SUSE describe SELinux's inclusion as a technology preview and are not offering enterprise suppport or any ready made SELinux security policy files. SUSE say they are focussing on supplying the necessary kernel patches and changes to applications to allow for SELinux operation.
AppArmour and SELinux are two security enhancements for Linux which operate by only allowing applications to perform defined actions. Attackers who find a vulnerability in some server process can therefore only do limited damage. AppArmour and SELinux pursue different approaches to the process of implementing this. AppArmour allows profiles to be defined for the permissable actions of individual programs and can initially be introduced piecemeal, but this approach is vulnerable when users introduce new applications to the system without profiles.
SELinux, on the other hand, defines rules for the whole system describing it as domains, subjects and objects. Rules then determine if a subject, for example a process, may access an object, such as a file, record or message, depending on which security domain the subject inhabits. This process is called Type Enforcement (TE), and combined with role-based access control (RBAC), limits all users, including the normally omnipotent root. A functioning SELinux system typically requires several thousand domains and tens of thousands of rules defined in policy files to describe the permitted access. It is those files that won't be supplied as standard with the SUSE SELinux implementation, though reference policies are expected to be available in SUSE repositories.