Read more on "Bugger Off: The Importance of Securing Your Servers" »

SELinux vs Systemd: What's Safer for Linux Servers?

By Sean Michael Kerner (Send Email)
Posted May 12, 2016

Among the most disruptive changes in Linux over the last decade has been in the introduction and broad integration of the systemd init system into Linux.

In a keynote session at the CoreOS Fest in Berlin this week, Lennart Poettering, one of the lead developers of systemd, delivered a detailed technical keynote on some of the key parameters in systemd and how they can be used to secure Linux servers.

Poettering also provided some very controversial comments on how systemd stacks up against SELinux for helping to secure Linux servers.systemd

The fundamental premise of systemd is that it can be used to essentially sandbox everything on a Linux system, not just containers but normal system services as well.

Among the many parameters that Poettering detailed is the "systemd-nspawn" option, which provides user namespace security. Another interesting parameter is the "privateNetwork" option, which can enable an administrator to run a private service on a network.

While systemd is an init system for Linux, it has broad impact on helping to secure Linux overall. That's where there potentially is overlap with other mechanisms for security, notably SELinux (security enhanced Linux), which provides access control for running processes and applications.

Poettering noted he's currently employed by Red Hat, which is the leading Linux distribution behind SELinux. SELinux is also a core security control in Red Hat Enterprise Linux, Fedora Linux and CentOS.

"Sure SELinux is great technology, but I don't understand it," Poettering said as the audience erupted into laughter.

Poettering admitted there are systemd settings that are to some degree made redundant by SELinux, as system administrators could potentially express the same policies. That said, he noted SELinux is specific to Red Hat-backed Linux distributions, while systemd today is integrated into nearly every Linux distribution by default.

"My recommendation is that systemd settings are easy and are just Boolean expressions that most people will easily understand; that's why I created them, and that's why I think they are more useful to more people than an SELinux policy," Poettering said.

"There are probably only 50 people in the world that understand SELinux policies," Poettering continued, "but I really hope there are more than 50 people that understand systemd."

Sean Michael Kerner is a senior editor at ServerWatch and InternetNews.com. Follow him on Twitter @TechJournalist.

Follow ServerWatch on Twitter and on Facebook

Page 1 of 1

Read more on "Bugger Off: The Importance of Securing Your Servers" »

Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.



Thanks for your registration, follow us on our social networks to keep up-to-date