SELinux: What's the Ubuntu trick?

Thu Jun 1 23:49:31 UTC 2006

On Thu, 2006-01-06 at 18:58 +0200, Magnus Runesson wrote:

> The rest of this answer may not be the answer you want but any way. 

I welcome the other perspective.

> I have earlier tried to learn SELinux on Fedora but gave up since it was
> too complex to be usable in an ordinary computer environment. It is too
> hard to change for a normal system administrator or software developer.

I've noticed that already with CentOS.  SELinux is impressive in its
lockdown capabilities, but it's worse than using the Windows security
APIs/tools to get there.

> When Novell released Apparmor, I decided to give it a try. I am fully
> aware that a lot of things are in a Computer Science perspective better
> in SELinux, but I found Apparmor much more usable in a practical
> environment. I have therefore done some proof of concept packaging for
> Ubuntu Dapper. If these packages fit your need your are more than
> welcome to test them.

I will certainly take a look at Apparmor, but it will likely not be the
system we go with.  The administration issues surrounding SELinux aren't
that vital, all things told.  The project this is intended for is a
self-contained, fixed box.  It has a small system and a correspondingly
small number of active applications, servers, users, etc.  Because it is
a self-contained box, we want to lock the thing down as tight as it can
get -- and that pretty much means SELinux.  We will be hand-configuring
each and every file (literally!) and making sure that only the files
appropriate to a given user/group or app will be accessible to that
given user/group or app.  Then we ship.  The only way the configuration
will change afterwards -- outside of the configuration options we choose
to expose with our app -- is when the system gets reFLASHed.

> A draft of a specification, with more information, can be found at
> https://wiki.ubuntu.com/AppArmor
> The packages can be found at http://www.linuxalert.org/ubuntu/apparmor/.

Thank you again.  I'll take a look at it.  It could be that it does what
we need.

--
Michael T. Richter
Email: ttmrichter at gmail.com, mtr1966 at hotpop.com
MSN: ttmrichter at hotmail.com, mtr1966 at hotmail.com; YIM:
michael_richter_1966; AIM: YanJiahua1966; ICQ: 241960658; Jabber:
mtr1966 at jabber.cn

"I would not flinch from sacrificing a million lives for India's
liberty!" --Mahatma Gandhi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20060602/c737c99d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20060602/c737c99d/attachment.sig>