[ubuntu-hardened] targeted policy broken?
Stephen Carpenter, KSC
sjc at carpanet.net
Mon Sep 18 21:13:31 BST 2006
On Mon, Sep 18, 2006 at 10:53:25AM -0500, Crispin Cowan wrote:
> Stephen Carpenter, KSC wrote:
> > On Fri, Sep 15, 2006 at 03:31:25AM +0200, Crispin Cowan wrote:
> >> Stephen Carpenter, KSC wrote:
> >>> [SElinux pain]
> >> Try AppArmor http://www.linuxalert.org/ubuntu/apparmor/
> > Looks cool, I may check it out. However i just came off SELinux
> > class from RedHat and its what we are deploying at work, so i figure
> > playing with the targeted policy under ubuntu and trying to help
> > get that up to where it is now under redhat would probably not be
> > unproductive use of my time.
> Wow! Not many organization's I've encountered have the courage to
> actually deploy SELinux. Most look at it, and opt to risk vulnerability
> instead, because it is less painful :)
Ahem well, I kind of got to be the person to make that decision. :)
Shoehorned it into the project plan months ago. Its a pretty young
environment on the unix/linux side so there is alot of room to bring
things in fresh without having to worry about integrating with lots of
> But if that is what your office is doing, then I can't argue with the
> wisdom of being familiar with what you are going to be fighting with in
> your job.
The targeted policy isn't so bad. By default it only constricts a small
set of things, and gives you a base with which to write new policies.
So far so good, I got the RPM of the source, it compiled cleanly,
tweaked my initial policy loading script...
I am guessing from the resounding silence on this, nobody else is
actually playing with this right now? Guess I should make a cut at some
updated packages myself then. Been a while since I made .debs
Q: How many psychiatrists does it take to change a light bulb?
A: Only one, but it takes a long time, and the light bulb has
to really want to change.
More information about the ubuntu-hardened