[ubuntu-hardened] SELinux in main/restricted

Kees Cook kees at ubuntu.com
Thu Feb 11 21:47:17 GMT 2010

Hi Florian,

On Thu, Feb 11, 2010 at 08:38:39PM +0100, Florian Friesdorf wrote:
> currently selinux is in the universe repo (karmic). As far as I
> understand that means it is entirely unsupported and does not receive
> any review or updates by the security team - for a package like selinux
> this sounds weird.

I don't feel that "entirely unsupported" is right; it's looked after by a
few people, including several folks from Tresys.  It does receive review
(and updates) by various people, including myself (I'm on the Ubuntu
Security Team).  Traditionally, I work to make sure that the core of
Ubuntu is capable of handling selinux (our extensive changes to system
boot, for example, need to be dealt with correctly).

All that said, it is not by any means a focus of effort by Canonical (who
employs me).  As such, it is considered "community supported".  But that
community includes Tresys.  :)

> What is the status of selinux in ubuntu?

AFAIU, it works, but has a relatively stock reference policy.

> Is there an estimate when it will go into main/restricted?

There are no plans presently for SELinux to go into main.

> I'd like to setup a server (nginx, zope, varnish, exim/postfix,
> dovecot, mailman, bind) with selinux and wonder whether I came to the
> right distribution.

Well, given all the other security features[1] in Ubuntu, I recommend
Ubuntu.  But I'm pretty biased.  ;)

Good luck!


[1] https://wiki.ubuntu.com/Security/Features#Matrix

Kees Cook
Ubuntu Security Team

More information about the ubuntu-hardened mailing list