[ubuntu-hardened] Re: Some thoughts about the hardened schema

Mon Apr 18 09:13:44 CDT 2005

[No need to CC me, I'm subscribed to the list. Thanks]

On Mon, 2005-04-18 at 00:27 +0200, Lorenzo Hernández García-Hierro
wrote: 
> El jue, 14-04-2005 a las 03:05 +1000, Jamie Jones escribió:

[Snip. Minor discussion re: libsafe]

> 
> > True. But even SELinux started as a patch once :)
> 
> It was re-implemented to use the LSM framework, so, they worked it for
> causing a *minimal* impact.

I think my sentence lost some meaning when I wrote it down, it was more
of a whimsical observation and hope that rsbac (or something similar)
would one day be a mainline alternative.

> > Better tested is another nice practical reason to me. Although wasn't
> > there some American company claiming to have patents on it a while ago ?
> 
> That's a typical absurd FUD against SELinux, read:
> http://www.securecomputing.com/pdf/Statement_of_Assurance.pdf
> 
OK. I've just read it. I found that to be strangly chilling reading. I
feel less assured after reading it. It was basically we have patents on
this, but we won't sue linux users. However, we can sell these patents,
and the new owner can do what they like, including sue linux users.

I think most of you are in the free world where software patents don't
apply. Unfortantly I no longer do, as my goverment signed a FTA with the
USA recently (what crack were they smoking when they did that ???) which
means I need to pay attention to crap like this. 

> > I have a strong feeling that you had answer questions like this
> > repeatedly. I do know that it has lsm support, I am under the impression
> > that there are problems with stacking multiple lsm modules in the
> > kernel, which let to my understanding that it would work "better" with
> > RSBAC. I can see practical uses for this on a samba server.
> 
> People is working on the module stacking, anyways, if there's something
> *worthy* you can't do at kernel level with SELinux, I would like to
> hear.
After trying with SELinux I'll let you know if I run in to trouble with
it.

> paxtest is good after you remove the "sabotage".
<snipped patch>

Will test tonight/tommorow on a K6/2 and Athlon64 box.

> > Ubuntu's not server capable ?? I've already deployed it as a public web
> > server. Works fine for me.
> 
> I didn't say that: "Ubuntu is directed to desktops, but lately there's
> an effort for making it server capable"
> 
> I've deployed it as testing box for my SELinux work.

That was a somewhat tongue in cheek observation that I feel it is
already server capable. I would have stuck with Debian otherwise.

-- 
GPG/PGP signed mail preferred. No HTML mail. No MS Word attachments
PGP Key ID 0x42E2C1E5
Fingerprint 3C77 9621 84C5 C32F D409 A38D A035 7E65 42E2 C1E5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20050419/3f0fb422/attachment-0001.pgp