Ubuntu SELinux status.

Fri Oct 23 05:47:16 UTC 2009

I tried selinuxtroubleshooter, did not work. I solved problem #1 and got a little further and ran into problem #2. Then I said forget it, I don't have time to make all the nice things of selinux work in Ubuntu. My SELinux is still running and if I edit the kernel params from the grub menu to not boot with SELinux, my computers beep speakers turn into a boombox while Ubuntu and my vanilla kernel boot up. Maybe its that I put selinux directly into kernel rather than modulizing it. My kernel is unpatched. I only have a few modules that are patched like the ones from aircrack-ng  for ensuring the security is tight on my own network which it is. The article made a false statement and a dumb question. Why would anyone want to use SELinux when there's apparmor it said. Simple answer, it's no Security Enhanced Linux. I can elaborate more. It said selinuxtroubleshooter not available. False, its available in a broken state. What's new to me is that selinux has been available since 8.04 and its still in a broken state :(  Too many non power users switching from windows and not enough demand for it. 
Sent via BlackBerry from T-Mobile

-----Original Message-----
From: Tom H <tomh0665 at gmail.com>
Date: Thu, 22 Oct 2009 20:51:45 
To: <ubuntu-users at lists.ubuntu.com>
Subject: Re: Ubuntu SELinux status.

On Thu, Oct 22, 2009 at 8:34 PM, Hal Burgiss <hal at burgiss.net> wrote:
> On Thu, Oct 22, 2009 at 06:26:43PM +0100, Avi Greenbury wrote:
>> > https://wiki.ubuntu.com/SELinux

>> In general, the distro's own page is a pretty poor place to go to find
>> out how well they've implemented something. The users of that feature
>> under that distro are a far better bet.
>> Unfortunately, I'm not one of those.

> My impression is Canonical is moving away from SELinux and adopting apparmor
> in its place. Not to say you can't make it work, but I'd suspect some hair
> pulling, etc at some point.

First para from http://lwn.net/Articles/355015/

SELinux in Ubuntu

Caleb Case reported on the status of SELinux in Ubuntu. Since Ubuntu
already uses AppArmor, one of the obvious questions was: why would
Ubuntu add SELinux? Case said that users were asking for it and that
having more options for running SELinux (beyond Fedora/RHEL) was
desirable. Ubuntu has had SELinux available to install since Hardy
Heron (8.04), but it has many more policy modules enabled in Jaunty
(9.04) and Karmic (soon to be released 9.10).

The SELinux policy "needs work", Case said, and SELinux in Ubuntu is
"not nearly as slick" as it is in Fedora, but it is a work in
progress. Users can now do an apt-get install selinux, which will pull
in everything that is needed and uninstall AppArmor. The installation
updates initramfs, installs the policy, and schedules a system
relabel.

Policy is loaded from initramfs instead of via a patched init as has
been done in the past. The upstart maintainers did not want to carry a
patch to do policy loading, as they didn't want to have to patch for
each and every Linux Security Module (LSM) that came along. As it
turns out, loading from initramfs is becoming the popular option.
Fedora is doing that via dracut and someone from the AppArmor team
spoke up to note that it had switched over to loading policy from
initramfs as well.

In the future, Case would like to see setroubleshoot added to Ubuntu
and integrated with the desktop. They would like to enable more policy
modules by default, so setroubleshoot would come in handy. Case said
that the Ubuntu policy has fewer confined daemons than Fedora does,
and that the reference policy has not been changed anywhere near as
much as it has for Fedora. He invited the audience to "check it out,
[and] see if it works, or doesn't" and joked that bugs should be
submitted to Red Hat's Dan Walsh.

-- 
ubuntu-users mailing list
ubuntu-users at lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users