SLED15 with LSM (Yama, SeLinux)

New to Suse and SLED I’m learning every day this is a whole different approach. Much is surprisingly well done getting to know Suse, other aspects make me scratch my head and shift on my seat.

To my surprise Suse does not have Yama enabled, there is also no documentation on this when searching

For Selinux there are no policies available and also some tools are missing such as for the GUI. Creation of SELinux policies appears to also not be encourage or well documented.

I know there is AppArmor, it is just not my area of focus at this time.

Also looking at Tomoyo and Akari which do appear somewhat supported.

Can someone introduce me a bit how to go about working with Yama, SeLinux on SLED ?



@JLT Hi, I suspect that this is probably something that would be present in a later release based on the current Tumbleweed setup;

zcat /proc/config.gz | grep tomoyo

dmesg | grep -A 1 -B 1 TOMOYO
[    0.162967] AppArmor: AppArmor initialized
[    0.162969] TOMOYO Linux initialized
[    0.162975] LSM support for eBPF active

I suspect you would need to recompile the kernel :frowning_face:

thanks for sharing

my output is quite different for SLED 15.5

looking at zcat /proc/config.gz | grep -i -e CONFIG_SECURITY -e LSM -e bpf i do get a lot of related showing SELinux and others are available to enable and other LSM are not (Smack, Loadpin, safesetid)

So it’s not that bad :slight_smile:

I don’t mind recompiling a kernel once in a while, i just hope SLED has a nice way of dealing with customer kernels as with Ubuntu that was not a pleasant experience.

@JLT If it’s there as a module but set to n then you could just build the missing ones and add rather than a full recompile. I would grab your current kernel-source, copy to a user directory, and test compiling the modules.

I’m not sure if i’d dare. I’m already hitting a brick wall trying to get displaylink/evdi compile for SLED 15.5

Thinking of then having to work with a custom compiled version and the sh*t that brought with it on Ubuntu and Debian systems … sigh