[ubuntu-hardened] selinux-policy-default

Jeff Schroeder jeffschroed at gmail.com
Mon Jan 28 17:53:25 GMT 2008

On Jan 28, 2008 9:38 AM, Kees Cook <kees at ubuntu.com> wrote:
> Thanks, this should help with the "make SELinux work" goal that is being
> pursued[1] on the ubuntu-hardened mailing list.  Two things that are
> being studied currently are how to not require that upstart be removed and
> not needing to recompile the stock kernel.  So far, good progress has
> been made on both fronts.
Kees, won't making SELinux usable in >= Hardy be more difficult now that LSM
has been converted to a static interface? The AppArmor team at Novell was laid
off[1]. Now, Crispin Cowan, the brainchild and only vehement AppArmor supporter,
works at Microsoft[2].

Is there (eventually) going to be a migration path towards SELinux?
Sure you can say
Novell "supports" AppArmor. The same could be said for iFolder or the
Hula project at
one point in time though. They laid off most of the Hula team before
killing that project.

It seems like we need to make a choice.
a) Revert [3] the kernel patch that converts LSM to a static interface
and use both.
b) Continue to ship AppArmor until everything has been migrated to
SELinux and then drop it.
c) Deprecate real SELinux usage in Ubuntu like Novell has currently
chosen with SLES

Don't make my email out as another SELinux vs AppArmor flamewar
because it isn't. It is a
serious problem that might confuse users / waste development
resources. We should pick
a direction and move towards it whatever it may be. If the community
is going towards SELinux
and Canonical is going towards AppArmor, this is a conflict of
interests. Lets make peace.

[1] http://www.news.com/8301-13580_3-9796140-39.html
[2] http://blogs.msdn.com/michael_howard/archive/2008/01/17/crispin-cowan-joins-the-windows-security-team.aspx
[3]  http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=20510f2f4e2dabb0ff6c13901807627ec9452f98

Jeff Schroeder

Don't drink and derive, alcohol and analysis don't mix.

More information about the ubuntu-devel mailing list