[ubuntu-hardened] Re: [RFC] selinux-support (1.0.1) available

Fri Mar 25 12:13:14 CST 2005

El vie, 25-03-2005 a las 10:31 -0500, Colin Walters escribió:
> On Fri, 2005-03-25 at 15:41 +0100, Lorenzo Hernández García-Hierro
> wrote:
> 
> > In my opinion, it's going to be Ubuntu specific until it's back-accepted
> > in Debian, anyways, I expect to have, at least, the user-land ready for
> > SELinux support within the Ubuntu Linux distribution, for the Hoary+1
> > release (Breezy).
> 
> That's probably reasonable.  If Ubuntu can get SELinux working well on a
> Debian-derived system out of the box, it will probably be easier for
> Debian to then pull all of the current patches into their distribution.
> 
> Nevertheless, I encourage you to work with Debian on this as much as
> possible.  SELinux, like any access control system worth something,
> requires extensive integration with the rest of the OS.  And core parts
> of the OS at that.  You do not want to be deviating much from the Debian
> core for packages such as dpkg and coreutils in the long term.  

I agree, the changes are not that difficult to give back for Debian,
Ubuntu is also not that different when talking about core stuff.

In short, I keep in mind both Debian and Ubuntu, just that Manoj is
doing a great job within Debian.

> Also, I strongly suggest that you look at the "targeted" policy shipping
> with Fedora.  I had a glance at the Ubuntu wiki page for SELinux and it
> seems the proposed policy is "selinux-policy-default", which IIRC is the
> "strict" policy.  The experience with Fedora is that strict is not yet
> workable as the default for a general-purpose OS, as Ubuntu is.  If you
> can get the targeted policy as the Ubuntu default and most importantly
> *on* by default, then "Hardened Ubuntu" becomes just s/targeted/strict/,
> and perhaps a few other features.  Much less work for the "Hardened"
> team.  Getting as many features of "Hardened" into the core should be
> your goal anyways; I think that permanently-forked "Hardened" variants
> are basically wrong.  They're kind of inherently doomed to be only used
> by a very small subset of users.  You want it to be more of a proving
> ground or staging area than a fork.

Right, I agree.

I'm still getting in touch with the policy language and so on, no real
work done, but I think I will be able to work on it without difficulties
soon.

The current "selinux-policy-default" package needs to be *re-worked*,
the configuration method is a mess, painful and not easy at all, even
for maintenance.

I would like to know the opinion on separate policy packages.

> We're doing a lot of work in Fedora to make targeted work well, and I
> think we could work together on it to good effect.

Sure, I will take a look at it.

> I haven't really done any Debian development in a year, but I think I
> still remember much of how things work, so I'd be happy to help with any
> integration issues you might have.  I'm sure the same is true of
> Russell.  Posting to selinux at tycho.nsa.gov is probably your best bet.

Right, I will CC related messages to both ubuntu-hardened and selinux
lists.

There's no formal recruitment, but if it's not all clear, everybody can
feel free to contribute and help with the work.

We are just 2 guys working on this, and I've been doing most of the
work, so, we would really appreciate help.

Thanks for the comments, cheers.
-- 
Lorenzo Hernández García-Hierro <lorenzo at gnu.org> 
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20050325/c90dd9e8/attachment.pgp