Ubuntu Hardened (SELinux) Call for Volunteers: Gnome, pygtk and python hackers

Tue May 24 19:01:50 CDT 2005

Hi,

NOTE: cross posting to -devel as suggested in the -devel channel, I
apologize if it sounds like noise.

We are seeking for Gnome hackers, more concretely those experienced with
Python hacking and using PyGTK for the development of consistent
configuration tools and other nifty utilities for the desktop user as
front-ends or management tools of the "Proactive Security" (intrusion
prevention) technologies under development and deployment for Ubuntu
Linux.

We plan to do the following stuff:

 1) a Gnome applet for giving information on SELinux status and provide
    immediate ways of enabling/disabling at runtime, among changing the
    modes, giving AVC statistics, booleans and tunables.
 2) a Security Center-like GUI, that would be much like a GTK2-based 
    port of Bastille but personalized to our needs and usability 
    guidelines, among the deployed technologies.
 3) porting Red Hat's configuration tools (old redhat-config-tools).

On the (1):

It should be combining information from RH's system-config-securitylevel
GUI, the sestatus program, and the avcstats program.

People will want to know whether SELinux is enabled/disabled,
enforcing/permissive modes, what policy is active, boolean settings and
possibly tunable settings.

SELinux provides a good interface for the purpouse, among the proper and
existing tools that can be either used as back-ends or as inspiration of
what we want to get.

An example of doing it "at our own":

--
# selinuxfs default location
selinuxfs = '/selinux/'

# modes & general information
enforcement = selinuxfs + 'enforce'
mls = selinuxfs + 'mls'
disable_selinux = selinuxfs + 'disable'
policy_version = selinuxfs + 'policyvers'

# Access Vector Cache statistics
avc_stats = selinuxfs + 'avc/'
avc_cache_threshold = avc_stats + 'cache_threshold'
avc_hash_stats = avc_stats + 'hash_stats'

def get_enforcement():
		fd = open(enforcement)
		enforcement_mode = fd.read()
		fd.close()

def get_mls():
		fd = open(mls)
		mls_mode_value = fd.read()
		fd.close()

def get_policy_version():
		fd = open(policy_version)
		policy_version_value = fd.read()
		fd.close()

def get_avc_cache_threshold():
		fd = open(avc_cache_threshold)
		avc_cc_threshold = fd.read()
		fd.close()

name = "selinux-gnome-applet"
version = "0.1"
image_dir = "/usr/share/pixmaps" 
glade_dir = "/usr/share/" + name
--

It won't be a big deal, summarizing, but my PyGTK skills really suck and
I haven't code a lot of Python hacking lately.

The artwork is something I could try to do but I don't what should be
used properly (no badges or anything like that for it, please, it must
Ubuntu-dependent and related), and I lack of a proper drawing tablet,
just a scanner that might do half of the work ;).

On (2):

It would look like the `echo Zvpebfbsg | tr A-Za-z N-ZA-Mn-za-m`
Security Center if it applies as inspiration (*grin*).

A bug is filed in the bugzilla since some time ago:
https://bugzilla.ubuntu.com/show_bug.cgi?id=7825

An interesting usability feedback from Matthew Thomas:
https://bugzilla.ubuntu.com/attachment.cgi?id=1841

On (3):

The primary target is Fedora's system-config-securitylevel. It's way too
"Red Hat-dependant" but won't be a big deal for an experienced Python
hacker to "sanitize" for our needs.

Check:
http://fedora.redhat.com/projects/config-tools/redhat-config-securitylevel.html
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/rhlcommon-section-0105.html
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/rhlcommon-section-0068.html
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/rhlcommon-chapter-0017.html#RHLCOMMON-SECTION-0070

checking out:
 export CVSROOT=:pserver:anonymous at rhlinux.redhat.com:/usr/local/CVS
 cvs -z3 login
 cvs -z3 co redhat-config-securitylevel

Feel free to get in touch with me (trulux in the IRC) or any other
fellow like Andrew Mitchell (ajmitch) and Martin Pitt (pitti) in
#ubuntu-hardened or #ubuntu-devel.

Cheers and many thanks in advance.
-- 
Lorenzo Hernández García-Hierro <lorenzo at gnu.org>
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]