[ubuntu-hardened] Re: [RFC] selinux-support (1.0.1) available
Lorenzo Hernández García-Hierro
lorenzo at gnu.org
Fri Mar 25 12:13:14 CST 2005
El vie, 25-03-2005 a las 10:31 -0500, Colin Walters escribió:
> On Fri, 2005-03-25 at 15:41 +0100, Lorenzo Hernández García-Hierro
> > In my opinion, it's going to be Ubuntu specific until it's back-accepted
> > in Debian, anyways, I expect to have, at least, the user-land ready for
> > SELinux support within the Ubuntu Linux distribution, for the Hoary+1
> > release (Breezy).
> That's probably reasonable. If Ubuntu can get SELinux working well on a
> Debian-derived system out of the box, it will probably be easier for
> Debian to then pull all of the current patches into their distribution.
> Nevertheless, I encourage you to work with Debian on this as much as
> possible. SELinux, like any access control system worth something,
> requires extensive integration with the rest of the OS. And core parts
> of the OS at that. You do not want to be deviating much from the Debian
> core for packages such as dpkg and coreutils in the long term.
I agree, the changes are not that difficult to give back for Debian,
Ubuntu is also not that different when talking about core stuff.
In short, I keep in mind both Debian and Ubuntu, just that Manoj is
doing a great job within Debian.
> Also, I strongly suggest that you look at the "targeted" policy shipping
> with Fedora. I had a glance at the Ubuntu wiki page for SELinux and it
> seems the proposed policy is "selinux-policy-default", which IIRC is the
> "strict" policy. The experience with Fedora is that strict is not yet
> workable as the default for a general-purpose OS, as Ubuntu is. If you
> can get the targeted policy as the Ubuntu default and most importantly
> *on* by default, then "Hardened Ubuntu" becomes just s/targeted/strict/,
> and perhaps a few other features. Much less work for the "Hardened"
> team. Getting as many features of "Hardened" into the core should be
> your goal anyways; I think that permanently-forked "Hardened" variants
> are basically wrong. They're kind of inherently doomed to be only used
> by a very small subset of users. You want it to be more of a proving
> ground or staging area than a fork.
Right, I agree.
I'm still getting in touch with the policy language and so on, no real
work done, but I think I will be able to work on it without difficulties
The current "selinux-policy-default" package needs to be *re-worked*,
the configuration method is a mess, painful and not easy at all, even
I would like to know the opinion on separate policy packages.
> We're doing a lot of work in Fedora to make targeted work well, and I
> think we could work together on it to good effect.
Sure, I will take a look at it.
> I haven't really done any Debian development in a year, but I think I
> still remember much of how things work, so I'd be happy to help with any
> integration issues you might have. I'm sure the same is true of
> Russell. Posting to selinux at tycho.nsa.gov is probably your best bet.
Right, I will CC related messages to both ubuntu-hardened and selinux
There's no formal recruitment, but if it's not all clear, everybody can
feel free to contribute and help with the work.
We are just 2 guys working on this, and I've been doing most of the
work, so, we would really appreciate help.
Thanks for the comments, cheers.
Lorenzo Hernández García-Hierro <lorenzo at gnu.org>
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20050325/c90dd9e8/attachment.pgp
More information about the ubuntu-hardened