Le 05/01/2011 22:54, Thomas S Hatch a écrit :
On Wed, Jan 5, 2011 at 2:51 PM, Martin Peres<martin.pe...@free.fr> wrote:
Le 05/01/2011 22:39, Thomas S Hatch a écrit :
On Wed, Jan 5, 2011 at 2:33 PM, Martin Peres<martin.pe...@free.fr>
wrote:
Le 05/01/2011 22:21, Thomas S Hatch a écrit :
Oh, it is lower on my list, but I wanted to make SELinux more powerful
in
Arch too, I am one of the VERY few who not only know how to handle
SELinux,
and likes to use it :)
You WHAT? You like to use it? You must be a masochist then ;)
I've been working around and on it for 2 years now and I wouldn't use it
for any desktop (even though that's what I'm doing at work).
Are you using the targeted mode or the strict one (I'm always using the
strict mode)?
Well of course you have to move in and around it using the strict mode! Do
you know who developed that? The NSA, and don't tell them I said anything,
but I don't trust those guys :)
Personally, I would not use SELinux on a desktop, I think that SELinux is
best suited for machines with static configurations that servers content
often to the open internet. So with that said, SELinux is best for DNS
servers, Mail servers, routers etc.
And the strict policy is too strict, often it thinks that booting is a
security violation!
See what I mean though? Most people don't like it, personally, I do NOT
endorse turning it on by default, I think that that is a bit crazy.
Oh sure, SELinux is simple on servers ;) My researchs are about dynamicaly
loading policy modules according to the current user's task. It works kind
of well.
I've written some helpers to generate security policies automatically, it
makes you a working policy in less than 4 minutes (for firefox). You're done
in a little more than 10 minutes (test& audit).
Currently, I'm working on adding a memory access control in SELinux (just
for fun, we'll see how it works).
I know all of this is crazy, hence the reason I'm kind of fed up with
SELinux even though it is really powerful!
Anyway, I'm using Gentoo Hardened for my research. The only non-Arch OS I'm
using.
Wow, this sounds like great stuff! I would love to get my hands on it, this
could make policy tuning a walk in the park!
Is this open source? Can I see your code? What is it written in?
The automated policy creation is in Python. The other project that
detects the user's activity and changes the SELinux modules of an
application is written in C/C++/Qt, there are also patches needed for
Firefox and claws-mail. The basic idea is defined here:
http://mupuf.org/blog/article/39/ (read the article). I've done at least
two major rewrites since then to add features and improve the
configuration files.
I'll ask my employers (my teachers/researchers I'm working with) if they
are ok with open sourcing the python auditer. The other research project
will be released for sure but I'm still working on it and it is not
ready for a public release yet)
There is still a lot of polishing to be done and I still have to write a
paper on it to show the problem of automated policy creation and labelling.
If you want more info, please send me a mail ;) I'll keep you updated on
this!
Good luck with your application :)
Martin
