A new module has been added to YaST that gives system administrators a basic way to check the general security health status of a system. Found under YaST -> security and users -> local security, the default selection is security overview. The intent was to provide Bastille-like functionality, but with greater ease-of-use. The overview shows three columns: security setting, status, and security status. The security status is shown as a column of green check marks and red X’s; there’s help for each setting to explain why it’s important.
Security Enhanced Linux (SELinux) is enabled in SLES11. The kernel is built to support SELinux and patches to all common user space packages were applied to work with SELinux; the necessary libraries to support SELinux were shipped. However, limitations include the fact this offering isn’t yet officially supported, no SELinux policies are included, nor is there support for SELinux-specific software packages (e.g., checkpolicy, policycoreutils, selinux-doc).
Quality assurance testing of SLES11 occurred with SELinux disabled, so enabling it without the policies and tooling necessary to manage it will create problems at this stage of support. Another useful observation is that AppArmor and SELinux are mutually exclusive. One or the other must be chosen at boot time via a kernel parameter. The default is AppArmor if no parameter is given.
Kexec is an interesting new feature mainly targeted at midrange systems, but it has interesting possibilities for Linux on System z, too. To quote from the main page for kexec: “Kexec is a system call that enables you to load and boot into another kernel from the currently running kernel. Kexec performs the function of the boot loader from within the kernel. The primary difference between a standard system boot and a kexec boot is that the hardware initialization normally performed by the BIOS or firmware (depending on architecture) is not performed during a kexec boot. This has the effect of reducing the time required for a reboot.”
For System z and z/VM users, this may prove to be an interesting way of delivering an initial Random Access Memory (RAM)-based system where a VM application has populated a device table and done I/O setup, allowing the Linux kernel to further exploit VM’s already extensive knowledge of the virtual hardware environment and become less resource-intensive on boot.
Since Linux for System z installations always occur over a network, whether virtual or real, considerable time has been spent over the last nine years trying to debug network problems. In several shops, this has been hindered by a network security policy that doesn’t allow Internet Control Message Protocol (ICMP) or User Datagram Protocol (UDP) packets to cross the network. Although not specifically intended to help alleviate this problem, traceroute was enhanced to use TCP SYN packets and the usual ICMP or UDP ECHO packets. Specifying the -T switch on the command will switch it into Transmission Control Protocol (TCP) mode, although users should be aware that this behavior may trigger some network intrusion detection systems to indicate a false positive.
SUSE Linux Enterprise Mono Extension
In SLES 11, Novell has moved the Mono application development tools to a separately licensed extension, grandfathering in previous licensees for this release. Mono is a .NET application framework that lets you run .NET-based applications, including ASP.NET, on SLES. It’s available for all the architectures that SLES is built for, including the mainframe. The SLE Mono Extension provides the necessary software to develop and run .NET client and server applications across platforms on Linux, Solaris, Mac OS X, Windows, and UNIX. Mono for Linux on System z can provide reliability, performance, and scalability advantages over Windows.
Mono lets users of Microsoft .NET and Linux-based tools develop on a platform of choice and deploy anywhere .NET or Mono are supported. You can target Linux from Visual Studio or use the tool chain for Linux. The run-time is binary-compatible with .NET on Windows. This gives you the flexibility to:
- Migrate Microsoft .NET desktop and server applications to Linux without significant investment in rewriting code
- Target multiple platforms and increase your addressable market
- Leverage existing expertise in computer languages for more efficient development.
As noted, the Mono packages are still available at no charge from the Mono project Website, so it will be interesting to see how this separation plays out.
SUSE Linux Enterprise High Availability Extension
Another packaging change in SLES 11 is the removal of the HA tooling in SLES 10 to another separate offering, SLE HA 11, which is a collection of robust, open source clustering technologies to deal with the issues of high availability. It includes a cluster-aware file system, OCFS2, and volume manager, continuous data replication, C-LVM2, user-oriented tools, and resource agents.
While this may not seem a desirable step from Novell, especially in a distribution ostensibly oriented specifically to enterprise customers, the market will decide whether Novell will continue to separate basic enterprise function into penny packets.
Overall, SLES 11 continues to offer a significant set of tools for supporting an enterprise Linux deployment. It’s pleasing to see the by-id debacle corrected, and the many new enhancements to tooling and packaging, but the creation of the extensions packages is somewhat troublesome; we’ll see how that plays out in the marketplace. Z