[ubuntu-hardened] selinux-policy-default

Kees Cook kees at ubuntu.com
Mon Jan 28 18:59:03 GMT 2008

On Mon, Jan 28, 2008 at 09:53:25AM -0800, Jeff Schroeder wrote:
> Kees, won't making SELinux usable in >= Hardy be more difficult now that LSM
> has been converted to a static interface?

No, it's just a boot-time option now instead of being loadable/unloadable
via modules.  i.e. to boot an Ubuntu kernel with SELinux, you want to just
add "selinux=1 apparmor.enabled=0" to the boot flags.  (Multiple LSMs can and are built into the kernel, but only one can be enabled at a time.)

> The AppArmor team at Novell was laid off[1].

Only some of them.  There is still active development[1], and Novell
continues to be dedicated to using AppArmor for its MAC solution.

[1] https://forgesvn1.novell.com/svn/apparmor/trunk/kernel-patches/for-mainline/

> Is there (eventually) going to be a migration path towards SELinux?

One of the things I'd like to see for Hardy is an easy way for people to
use SELinux.  While Ubuntu will continue to use AppArmor by default due
to it more closely matching our usability goals, I don't want to see
this stopping people from being able to use SELinux where they want to.

> Don't make my email out as another SELinux vs AppArmor flamewar
> because it isn't. It is a
> serious problem that might confuse users / waste development
> resources. We should pick
> a direction and move towards it whatever it may be. If the community
> is going towards SELinux
> and Canonical is going towards AppArmor, this is a conflict of
> interests. Lets make peace.

Sure, I don't have any intention of starting a flame war.  :)  I generally
believe that profile/policy development for either MAC system will help
the other.  Sure, there may be some duplication of effort here, but this
is the price for being able to choose between MAC systems.


Kees Cook
Ubuntu Security Team

More information about the ubuntu-hardened mailing list