[aur-general] TU Application -Thomas Hatch

Thomas S Hatch thatch45 at gmail.com
Wed Jan 5 17:19:31 EST 2011

On Wed, Jan 5, 2011 at 3:13 PM, Martin Peres <martin.peres at free.fr> wrote:

> Le 05/01/2011 22:54, Thomas S Hatch a écrit :
>  On Wed, Jan 5, 2011 at 2:51 PM, Martin Peres<martin.peres at free.fr>
>>  wrote:
>>  Le 05/01/2011 22:39, Thomas S Hatch a écrit :
>>>  On Wed, Jan 5, 2011 at 2:33 PM, Martin Peres<martin.peres at free.fr>
>>>>  wrote:
>>>>  Le 05/01/2011 22:21, Thomas S Hatch a écrit :
>>>>>  Oh, it is lower on my list, but I wanted to make SELinux more powerful
>>>>> in
>>>>>  Arch too, I am one of the VERY few who not only know how to handle
>>>>>> SELinux,
>>>>>> and likes to use it :)
>>>>>>  You WHAT? You like to use it? You must be a masochist then ;)
>>>>> I've been working around and on it for 2 years now and I wouldn't use
>>>>> it
>>>>> for any desktop (even though that's what I'm doing at work).
>>>>> Are you using the targeted mode or the strict one (I'm always using the
>>>>> strict mode)?
>>>>>  Well of course you have to move in and around it using the strict
>>>> mode! Do
>>>> you know who developed that? The NSA, and don't tell them I said
>>>> anything,
>>>> but I don't trust those guys :)
>>>> Personally, I would not use SELinux on a desktop, I think that SELinux
>>>> is
>>>> best suited for machines with static configurations that servers content
>>>> often to the open internet. So with that said, SELinux is best for DNS
>>>> servers, Mail servers, routers etc.
>>>> And the strict policy is too strict, often it thinks that booting is a
>>>> security violation!
>>>> See what I mean though? Most people don't like it, personally, I do NOT
>>>> endorse turning it on by default, I think that that is a bit crazy.
>>>>  Oh sure, SELinux is simple on servers ;) My researchs are about
>>> dynamicaly
>>> loading policy modules according to the current user's task. It works
>>> kind
>>> of well.
>>> I've written some helpers to generate security policies automatically, it
>>> makes you a working policy in less than 4 minutes (for firefox). You're
>>> done
>>> in a little more than 10 minutes (test&  audit).
>>> Currently, I'm working on adding a memory access control in SELinux (just
>>> for fun, we'll see how it works).
>>> I know all of this is crazy, hence the reason I'm kind of fed up with
>>> SELinux even though it is really powerful!
>>> Anyway, I'm using Gentoo Hardened for my research. The only non-Arch OS
>>> I'm
>>> using.
>>>  Wow, this sounds like great stuff! I would love to get my hands on it,
>> this
>> could make policy tuning a walk in the park!
>> Is this open source? Can I see your code? What is it written in?
> The automated policy creation is in Python. The other project that detects
> the user's activity and changes the SELinux modules of an application is
> written in C/C++/Qt, there are also patches needed for Firefox and
> claws-mail. The basic idea is defined here:
> http://mupuf.org/blog/article/39/ (read the article). I've done at least
> two major rewrites since then to add features and improve the configuration
> files.
> I'll ask my employers (my teachers/researchers I'm working with) if they
> are ok with open sourcing the python auditer. The other research project
> will be released for sure but I'm still working on it and it is not ready
> for a public release yet)
> There is still a lot of polishing to be done and I still have to write a
> paper on it to show the problem of automated policy creation and labelling.
> If you want more info, please send me a mail ;) I'll keep you updated on
> this!
> Good luck with your application :)
> Martin

Thanks this sounds interesting, I will shoot you an email off list

More information about the aur-general mailing list