[ubuntu-hardened] Re: [RFC] selinux-support (1.0.1) available

Colin Walters walters at verbum.org
Fri Mar 25 09:31:32 CST 2005

On Fri, 2005-03-25 at 15:41 +0100, Lorenzo Hernández García-Hierro

> In my opinion, it's going to be Ubuntu specific until it's back-accepted
> in Debian, anyways, I expect to have, at least, the user-land ready for
> SELinux support within the Ubuntu Linux distribution, for the Hoary+1
> release (Breezy).

That's probably reasonable.  If Ubuntu can get SELinux working well on a
Debian-derived system out of the box, it will probably be easier for
Debian to then pull all of the current patches into their distribution.

Nevertheless, I encourage you to work with Debian on this as much as
possible.  SELinux, like any access control system worth something,
requires extensive integration with the rest of the OS.  And core parts
of the OS at that.  You do not want to be deviating much from the Debian
core for packages such as dpkg and coreutils in the long term.  

Also, I strongly suggest that you look at the "targeted" policy shipping
with Fedora.  I had a glance at the Ubuntu wiki page for SELinux and it
seems the proposed policy is "selinux-policy-default", which IIRC is the
"strict" policy.  The experience with Fedora is that strict is not yet
workable as the default for a general-purpose OS, as Ubuntu is.  If you
can get the targeted policy as the Ubuntu default and most importantly
*on* by default, then "Hardened Ubuntu" becomes just s/targeted/strict/,
and perhaps a few other features.  Much less work for the "Hardened"
team.  Getting as many features of "Hardened" into the core should be
your goal anyways; I think that permanently-forked "Hardened" variants
are basically wrong.  They're kind of inherently doomed to be only used
by a very small subset of users.  You want it to be more of a proving
ground or staging area than a fork.

We're doing a lot of work in Fedora to make targeted work well, and I
think we could work together on it to good effect.

I haven't really done any Debian development in a year, but I think I
still remember much of how things work, so I'd be happy to help with any
integration issues you might have.  I'm sure the same is true of
Russell.  Posting to selinux at tycho.nsa.gov is probably your best bet.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20050325/810a18e0/attachment.pgp

More information about the ubuntu-hardened mailing list