[aur-general] TU Application -Thomas Hatch
Thomas S Hatch
thatch45 at gmail.com
Wed Jan 5 17:19:31 EST 2011
On Wed, Jan 5, 2011 at 3:13 PM, Martin Peres <martin.peres at free.fr> wrote:
> Le 05/01/2011 22:54, Thomas S Hatch a écrit :
>
> On Wed, Jan 5, 2011 at 2:51 PM, Martin Peres<martin.peres at free.fr>
>> wrote:
>>
>> Le 05/01/2011 22:39, Thomas S Hatch a écrit :
>>>
>>> On Wed, Jan 5, 2011 at 2:33 PM, Martin Peres<martin.peres at free.fr>
>>>
>>>> wrote:
>>>>
>>>> Le 05/01/2011 22:21, Thomas S Hatch a écrit :
>>>>
>>>>> Oh, it is lower on my list, but I wanted to make SELinux more powerful
>>>>> in
>>>>>
>>>>> Arch too, I am one of the VERY few who not only know how to handle
>>>>>> SELinux,
>>>>>> and likes to use it :)
>>>>>>
>>>>>> You WHAT? You like to use it? You must be a masochist then ;)
>>>>>>
>>>>> I've been working around and on it for 2 years now and I wouldn't use
>>>>> it
>>>>> for any desktop (even though that's what I'm doing at work).
>>>>>
>>>>> Are you using the targeted mode or the strict one (I'm always using the
>>>>> strict mode)?
>>>>>
>>>>> Well of course you have to move in and around it using the strict
>>>> mode! Do
>>>> you know who developed that? The NSA, and don't tell them I said
>>>> anything,
>>>> but I don't trust those guys :)
>>>>
>>>> Personally, I would not use SELinux on a desktop, I think that SELinux
>>>> is
>>>> best suited for machines with static configurations that servers content
>>>> often to the open internet. So with that said, SELinux is best for DNS
>>>> servers, Mail servers, routers etc.
>>>>
>>>> And the strict policy is too strict, often it thinks that booting is a
>>>> security violation!
>>>>
>>>> See what I mean though? Most people don't like it, personally, I do NOT
>>>> endorse turning it on by default, I think that that is a bit crazy.
>>>>
>>>> Oh sure, SELinux is simple on servers ;) My researchs are about
>>> dynamicaly
>>> loading policy modules according to the current user's task. It works
>>> kind
>>> of well.
>>>
>>> I've written some helpers to generate security policies automatically, it
>>> makes you a working policy in less than 4 minutes (for firefox). You're
>>> done
>>> in a little more than 10 minutes (test& audit).
>>>
>>> Currently, I'm working on adding a memory access control in SELinux (just
>>> for fun, we'll see how it works).
>>>
>>> I know all of this is crazy, hence the reason I'm kind of fed up with
>>> SELinux even though it is really powerful!
>>>
>>> Anyway, I'm using Gentoo Hardened for my research. The only non-Arch OS
>>> I'm
>>> using.
>>>
>>> Wow, this sounds like great stuff! I would love to get my hands on it,
>> this
>> could make policy tuning a walk in the park!
>>
>> Is this open source? Can I see your code? What is it written in?
>>
> The automated policy creation is in Python. The other project that detects
> the user's activity and changes the SELinux modules of an application is
> written in C/C++/Qt, there are also patches needed for Firefox and
> claws-mail. The basic idea is defined here:
> http://mupuf.org/blog/article/39/ (read the article). I've done at least
> two major rewrites since then to add features and improve the configuration
> files.
>
> I'll ask my employers (my teachers/researchers I'm working with) if they
> are ok with open sourcing the python auditer. The other research project
> will be released for sure but I'm still working on it and it is not ready
> for a public release yet)
>
> There is still a lot of polishing to be done and I still have to write a
> paper on it to show the problem of automated policy creation and labelling.
>
> If you want more info, please send me a mail ;) I'll keep you updated on
> this!
>
> Good luck with your application :)
>
> Martin
>
Thanks this sounds interesting, I will shoot you an email off list
More information about the aur-general
mailing list