Among the most disruptive changes in Linux over the last decade has been in the introduction and broad integration of the systemd init system into Linux.
In a keynote session at the CoreOS Fest in Berlin this week, Lennart Poettering, one of the lead developers of systemd, delivered a detailed technical keynote on some of the key parameters in systemd and how they can be used to secure Linux servers.
Poettering also provided some very controversial comments on how systemd stacks up against SELinux for helping to secure Linux servers.
The fundamental premise of systemd is that it can be used to essentially sandbox everything on a Linux system, not just containers but normal system services as well.
Among the many parameters that Poettering detailed is the “systemd-nspawn” option, which provides user namespace security. Another interesting parameter is the “privateNetwork” option, which can enable an administrator to run a private service on a network.
While systemd is an init system for Linux, it has broad impact on helping to secure Linux overall. That’s where there potentially is overlap with other mechanisms for security, notably SELinux (security enhanced Linux), which provides access control for running processes and applications.
Poettering noted he’s currently employed by Red Hat, which is the leading Linux distribution behind SELinux. SELinux is also a core security control in Red Hat Enterprise Linux, Fedora Linux and CentOS.
“Sure SELinux is great technology, but I don’t understand it,” Poettering said as the audience erupted into laughter.
Poettering admitted there are systemd settings that are to some degree made redundant by SELinux, as system administrators could potentially express the same policies. That said, he noted SELinux is specific to Red Hat-backed Linux distributions, while systemd today is integrated into nearly every Linux distribution by default.
“My recommendation is that systemd settings are easy and are just Boolean expressions that most people will easily understand; that’s why I created them, and that’s why I think they are more useful to more people than an SELinux policy,” Poettering said.
“There are probably only 50 people in the world that understand SELinux policies,” Poettering continued, “but I really hope there are more than 50 people that understand systemd.”