On Wed, Jan 5, 2011 at 2:51 PM, Martin Peres <martin.peres@free.fr> wrote:
Le 05/01/2011 22:39, Thomas S Hatch a écrit :
On Wed, Jan 5, 2011 at 2:33 PM, Martin Peres<martin.peres@free.fr>
wrote:
Le 05/01/2011 22:21, Thomas S Hatch a écrit :
Oh, it is lower on my list, but I wanted to make SELinux more powerful in
Arch too, I am one of the VERY few who not only know how to handle SELinux, and likes to use it :)
You WHAT? You like to use it? You must be a masochist then ;)
I've been working around and on it for 2 years now and I wouldn't use it for any desktop (even though that's what I'm doing at work).
Are you using the targeted mode or the strict one (I'm always using the strict mode)?
Well of course you have to move in and around it using the strict mode! Do you know who developed that? The NSA, and don't tell them I said anything, but I don't trust those guys :)
Personally, I would not use SELinux on a desktop, I think that SELinux is best suited for machines with static configurations that servers content often to the open internet. So with that said, SELinux is best for DNS servers, Mail servers, routers etc.
And the strict policy is too strict, often it thinks that booting is a security violation!
See what I mean though? Most people don't like it, personally, I do NOT endorse turning it on by default, I think that that is a bit crazy.
Oh sure, SELinux is simple on servers ;) My researchs are about dynamicaly loading policy modules according to the current user's task. It works kind of well.
I've written some helpers to generate security policies automatically, it makes you a working policy in less than 4 minutes (for firefox). You're done in a little more than 10 minutes (test & audit).
Currently, I'm working on adding a memory access control in SELinux (just for fun, we'll see how it works).
I know all of this is crazy, hence the reason I'm kind of fed up with SELinux even though it is really powerful!
Anyway, I'm using Gentoo Hardened for my research. The only non-Arch OS I'm using.
Wow, this sounds like great stuff! I would love to get my hands on it, this could make policy tuning a walk in the park! Is this open source? Can I see your code? What is it written in?