[aur-general] TU Application -Thomas Hatch

Thomas S Hatch thatch45 at gmail.com
Wed Jan 5 16:54:48 EST 2011 

On Wed, Jan 5, 2011 at 2:51 PM, Martin Peres <martin.peres at free.fr> wrote:

> Le 05/01/2011 22:39, Thomas S Hatch a écrit :
>
>  On Wed, Jan 5, 2011 at 2:33 PM, Martin Peres<martin.peres at free.fr>
>>  wrote:
>>
>>  Le 05/01/2011 22:21, Thomas S Hatch a écrit :
>>>
>>>  Oh, it is lower on my list, but I wanted to make SELinux more powerful
>>> in
>>>
>>>> Arch too, I am one of the VERY few who not only know how to handle
>>>> SELinux,
>>>> and likes to use it :)
>>>>
>>>>  You WHAT? You like to use it? You must be a masochist then ;)
>>>
>>> I've been working around and on it for 2 years now and I wouldn't use it
>>> for any desktop (even though that's what I'm doing at work).
>>>
>>> Are you using the targeted mode or the strict one (I'm always using the
>>> strict mode)?
>>>
>> Well of course you have to move in and around it using the strict mode! Do
>> you know who developed that? The NSA, and don't tell them I said anything,
>> but I don't trust those guys :)
>>
>> Personally, I would not use SELinux on a desktop, I think that SELinux is
>> best suited for machines with static configurations that servers content
>> often to the open internet. So with that said, SELinux is best for DNS
>> servers, Mail servers, routers etc.
>>
>> And the strict policy is too strict, often it thinks that booting is a
>> security violation!
>>
>> See what I mean though? Most people don't like it, personally, I do NOT
>> endorse turning it on by default, I think that that is a bit crazy.
>>
> Oh sure, SELinux is simple on servers ;) My researchs are about dynamicaly
> loading policy modules according to the current user's task. It works kind
> of well.
>
> I've written some helpers to generate security policies automatically, it
> makes you a working policy in less than 4 minutes (for firefox). You're done
> in a little more than 10 minutes (test & audit).
>
> Currently, I'm working on adding a memory access control in SELinux (just
> for fun, we'll see how it works).
>
> I know all of this is crazy, hence the reason I'm kind of fed up with
> SELinux even though it is really powerful!
>
> Anyway, I'm using Gentoo Hardened for my research. The only non-Arch OS I'm
> using.
>

Wow, this sounds like great stuff! I would love to get my hands on it, this
could make policy tuning a walk in the park!

Is this open source? Can I see your code? What is it written in?

More information about the aur-general mailing list