[ubuntu-hardened] SELinux in main/restricted

Florian Friesdorf flo at chaoflow.net
Sun Feb 14 07:35:18 GMT 2010

Hi Kees,

On Thu, Feb 11, 2010 at 01:47:17PM -0800, Kees Cook wrote:
> Hi Florian,
> On Thu, Feb 11, 2010 at 08:38:39PM +0100, Florian Friesdorf wrote:
> > currently selinux is in the universe repo (karmic). As far as I
> > understand that means it is entirely unsupported and does not receive
> > any review or updates by the security team - for a package like selinux
> > this sounds weird.
> I don't feel that "entirely unsupported" is right; it's looked after by a
> few people, including several folks from Tresys.  It does receive review
> (and updates) by various people, including myself (I'm on the Ubuntu
> Security Team).  Traditionally, I work to make sure that the core of
> Ubuntu is capable of handling selinux (our extensive changes to system
> boot, for example, need to be dealt with correctly).
> All that said, it is not by any means a focus of effort by Canonical (who
> employs me).  As such, it is considered "community supported".  But that
> community includes Tresys.  :)

This sounds good enough :)

> > What is the status of selinux in ubuntu?
> AFAIU, it works, but has a relatively stock reference policy.

My knowledge of selinux is minimal so far. In gentoo there are many
policy packages for the different services, however, currently they are
shifting to refpolicy v2 and the whole thing is broken.

I did not see any such service-specific policies in ubuntu. Will I end
up writing my own policies or is it possible to copy these from, e.g.

> > I'd like to setup a server (nginx, zope, varnish, exim/postfix,
> > dovecot, mailman, bind) with selinux and wonder whether I came to the
> > right distribution.
> Well, given all the other security features[1] in Ubuntu, I recommend
> Ubuntu.  But I'm pretty biased.  ;)
> [1] https://wiki.ubuntu.com/Security/Features#Matrix

So far I was running gentoo with a hardened kernel (PAX, no GRSec yet)
and hardened toolchain. As far as I could figure from the security
features[1] the userland on ubuntu seems to use the same things as

For the kernel, I'd like to use PAX again at least, better grsecurity
and even better selinux. I found some related userspace tools (paxctl,
gradm2) but am missing the grsecurity kernel patch. Given that there are
more than 27000 packages in main/universe, I wonder whether there is a
deeper reason that this patched is not packaged, esp. as gradm2 suggests
it. Similar for paxtest on amd64: I found older discussions that it is
broken on amd64. At least on gentoo, I have 0.9.7_pre4 on amd64 and as
far as I can tell it works, so at least for lucid (the unstable?) there
could/should be one.

thank you very much

Florian Friesdorf <flo at chaoflow.net>
  GPG FPR: EA5C F2B4 FBBB BA65 3DCD  E8ED 82A1 6522 4A1F 4367
Jabber/XMPP: flo at chaoflow.net
  OTR FPR: 9E191746 213321FE C896B37D 24B118C0 31785700
IRC: chaoflow on freenode,ircnet,blafasel,OFTC
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20100214/36c7c941/attachment.pgp 

More information about the ubuntu-hardened mailing list