[ubuntu-hardened] targeted policy broken?

Stephen Carpenter, KSC sjc at carpanet.net
Mon Sep 18 21:13:31 BST 2006

On Mon, Sep 18, 2006 at 10:53:25AM -0500, Crispin Cowan wrote:
> Stephen Carpenter, KSC wrote:
> > On Fri, Sep 15, 2006 at 03:31:25AM +0200, Crispin Cowan wrote:
> >   
> >> Stephen Carpenter, KSC wrote:
> >>     
> >>> [SElinux pain]  
> >>>       
> >> Try AppArmor http://www.linuxalert.org/ubuntu/apparmor/
> >>     
> > Looks cool, I may check it out. However i just came off SELinux 
> > class from RedHat and its what we are deploying at work, so i figure
> > playing with the targeted policy under ubuntu and trying to help
> > get that up to where it is now under redhat would probably not be
> > unproductive use of my time.
> >   
> Wow! Not many organization's I've encountered have the courage to
> actually deploy SELinux. Most look at it, and opt to risk vulnerability
> instead, because it is less painful :)

Ahem well, I kind of got to be the person to make that decision. :)
Shoehorned it into the project plan months ago. Its a pretty young
environment on the unix/linux side so there is alot of room to bring
things in fresh without having to worry about integrating with lots of
existing stuff.

> But if that is what your office is doing, then I can't argue with the
> wisdom of being familiar with what you are going to be fighting with in
> your job.

The targeted policy isn't so bad. By default it only constricts a small
set of things, and gives you a base with which to write new policies.

So far so good, I got the RPM of the source, it compiled cleanly,
tweaked my initial policy loading script... 

I am guessing from the resounding silence on this, nobody else is
actually playing with this right now? Guess I should make a cut at some
updated packages myself then. Been a while since I made .debs 


Q:      How many psychiatrists does it take to change a light bulb?
A:      Only one, but it takes a long time, and the light bulb has
        to really want to change.

More information about the ubuntu-hardened mailing list