[ubuntu-hardened] Configuring services for Smack

Casey Schaufler casey at schaufler-ca.com
Tue Jun 17 01:07:49 BST 2008

For the security team meeting Thursday June 19th I
promised to provide the Smack equivalent to the
AppArmor profile for CUPS. The attached PDF is an
attempt to describe how one would configure a server
for use with Smack, which is different from a
description of how to configure Smack for CUPS, but
more in keeping with the way Smack works.

You don't really configure Smack. Smack is perfectly
happy to run with all processes using the floor label,
which is what init starts with, and all files labeled
to the floor label by default. Of course, you get no
additional value from Smack this way. You get value by
running the processes you trust less than the system
(e.g. user processes) with labels other than floor.
It is then the services themselves that must be taught
about Smack. As the paper describes, there are three
ways to do this:

- set the service running with the label of the clients
- use the Smack port multiplexer smackpolyport(1) to
  distribute requests from a well known port to a set
  of servers running with various labels
- modify the server application to be cognizant of Smack.

Thank you.



Casey Schaufler
casey at schaufler-ca.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: SmackServices080616.pdf
Type: application/pdf
Size: 198403 bytes
Desc: not available
Url : https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20080616/60209eb1/attachment-0001.pdf 

More information about the ubuntu-hardened mailing list