On Wed, Jan 5, 2011 at 2:51 PM, Martin Peres <martin.pe...@free.fr> wrote:
> Le 05/01/2011 22:39, Thomas S Hatch a écrit : > > On Wed, Jan 5, 2011 at 2:33 PM, Martin Peres<martin.pe...@free.fr> >> wrote: >> >> Le 05/01/2011 22:21, Thomas S Hatch a écrit : >>> >>> Oh, it is lower on my list, but I wanted to make SELinux more powerful >>> in >>> >>>> Arch too, I am one of the VERY few who not only know how to handle >>>> SELinux, >>>> and likes to use it :) >>>> >>>> You WHAT? You like to use it? You must be a masochist then ;) >>> >>> I've been working around and on it for 2 years now and I wouldn't use it >>> for any desktop (even though that's what I'm doing at work). >>> >>> Are you using the targeted mode or the strict one (I'm always using the >>> strict mode)? >>> >> Well of course you have to move in and around it using the strict mode! Do >> you know who developed that? The NSA, and don't tell them I said anything, >> but I don't trust those guys :) >> >> Personally, I would not use SELinux on a desktop, I think that SELinux is >> best suited for machines with static configurations that servers content >> often to the open internet. So with that said, SELinux is best for DNS >> servers, Mail servers, routers etc. >> >> And the strict policy is too strict, often it thinks that booting is a >> security violation! >> >> See what I mean though? Most people don't like it, personally, I do NOT >> endorse turning it on by default, I think that that is a bit crazy. >> > Oh sure, SELinux is simple on servers ;) My researchs are about dynamicaly > loading policy modules according to the current user's task. It works kind > of well. > > I've written some helpers to generate security policies automatically, it > makes you a working policy in less than 4 minutes (for firefox). You're done > in a little more than 10 minutes (test & audit). > > Currently, I'm working on adding a memory access control in SELinux (just > for fun, we'll see how it works). > > I know all of this is crazy, hence the reason I'm kind of fed up with > SELinux even though it is really powerful! > > Anyway, I'm using Gentoo Hardened for my research. The only non-Arch OS I'm > using. > Wow, this sounds like great stuff! I would love to get my hands on it, this could make policy tuning a walk in the park! Is this open source? Can I see your code? What is it written in?
