Sam Bent: openSUSE Leap 16 Adopts NSA's SELinux

As a Tumbleweed user I would really appreciate any comments from the community. Is it time to move on?

Odd article that frames many positive changes like SELinux and Wayland-only as negative changes imo.

Anyhow if you want to run Linux I can only recommend secureblue.

13 Likes

I feel this is a bit restrict. Gaming on Secureblue still very nitpick. It depends on the OP privacy spectrum to provide a better recommendation.

To not go that far, using Fedora Workstation, Silverblue, or one of the ublue images may bring a bit of an easier path. Although, I’m not sure about Fedora and derivatives future as a RedHat distro with direct influence from IBM growing and a potential interference.

If OP wants to continue the true rolling release distro nature, there are more options that are community maintained: Arch, Nix(has quite a few polemics regarding american defense contractor collaborations), Void(not a big fan of runit but…), Gentoo…

4 Likes

I was running Fedora right before Tumbleweed and jumped the ship after Redhat’s change of heart. OpenSUSE is perfect for me in every sense, gaming included (steam for the most part). Well I guess you can’t have it all. Also I’m not a fan of Arch since I’m not that proficient in Linux but an absence of options makes a choice easier. No matter what, thank you for your suggestion.

I’ll look into it. Thank you.

Sam Bent already has a bad track record and here he’s framing positive changes (like adopting SELinux and Wayland) as negatives. He also highlights that the NSA originally developed SELinux (he claims they’re still developing it but I’m not aware of that and he provides no source), which reads to me like he’s implying that SELinux is untrustworthy or inferior to AppArmor, which just doesn’t make any sense.

I can’t speak to the other points but considering this alone, I’d disregard anything he has to say. There’s only so much time we have and I’d hate to waste it on someone who’s been known to spread misinformation and bad advice. If there are any serious issues, I’d assume someone more competent and trustworthy would bring light to it some time soon.

8 Likes

+1 for selinux and wayland, those are some big improvements for suse.

8 Likes

I ran OpenSUSE Kalpa for a long time. My threat model changed, though. Secureblue was impractical for me, so I opted for Arch + DWL with a declarative config, my own hard fork (work in progress) of transactional-update meant for Arch, with most of Secureblue’s defaults. I did loosen Flatpak permissions (but still only use verified) and use Xwayland for a work app. I’ll address each of the articles subjects below.

SELinux
Was developed by NSA. I understand they forked and moved on with their own version. I have personally seen companies follow best practices and still get compromised by advanced groups. If your threat model is state entities (or those funded by them), this site is not your primary source of information. They will get to you from your WiFi echo, from your conversations over BlueTooth devices, from your streaming history, telemetry from your car (if built since at least 2015—you can disable this, though), or the multitude of cameras scattered wherever you live. If you’re freaking out about SELinux, and the state is your threat vector, you’ve got a lot of learning to do. Google is not breaking through your well configured SELinux policies; even they have a line they won’t cross.

Wayland
HUGE improvement over X11. One of the best display protocols out there. Still, likely many holes that need patching. Also a huge PITA if you need to do we conferencing or screen recording, but if those aren’t an important part of your workflow, it’s a great option.

Agama
The SUSE team is aware of the issue. It’s assumed that if you’re a user, this won’t matter. If you’re an enterprise, your deploying with Ignition.

Cockpit
RedHat did this by default, too. Very annoying. Easy to uninstall and won’t break anything.

Telemetry and “Phoning Home”
The only thing I’ve seen is data sent to get updates, and some package usage survey data. The latter is opt out. The update blobs are signed and encrypting each of the many thousands of requests received daily costs CPU and network bandwidth. If you have to encrypt your signed public software, maybe get your tin-foil hat resized. It might be too tight! :wink:

SLES Binaries
This is a good thing. There are a lot of large companies that use SLES and they don’t want anyone stealing their data (hurts profits). Their eyeballs on top of review from the non-enterprise user community means leaner operations for SUSE, and better auditing of packages and code. This is a win for everyone.

Privatization of SUSE
The main reasoning for this was to take market pressures off of SUSE. There’s a lot of European finance companies that rely on SUSE and being in a public global market meant they had to focus on profitability over features and quality. This was harmful to everyone and stressful for the maintainers. I know quite a few folks over there and most of them say this was a good move for everyone and work has been fun again (usually) for the last couple years.

I think the takeaway is to know what your threat model is, and incrementally learn what your threat vectors are, and iteratively attack each vector. Security and privacy are knobs, not switches, and they need constant tuning with every change in your life and every use case. Hope this is helpful.

6 Likes

Extremely helpful. I’ve got only one tiny tin-foil hat and I keep it in my drawer most of the time. Thank you for generously detailed answer.

1 Like

I hate those headlines. They are misleading as f-ck. It implies the NSA has some dark motive at play here. Maybe they genuinely want to be equipped with great security?*

Tor was founded by the US military and is still financed by the US gov. Should we now refer to US-funded Tor every time?

Some points of cyber might be valid. But odd to complain about security then complain about X11 being removed.

  • That can be a valid assertion. But then explain it explicitely and specify whether you have proof or this is just speculation.
1 Like