HardySELinux

Revision 2 as of 2007-10-25 16:28:22

Clear message

HardySELinux

  • Launchpad Entry: selinux-support

  • Created: 2007-10-25

  • Contributors: ChadSellers

  • Packages affected: selinux-policy-*, policycoreutils, initramfs-tools

Summary

Provide SELinux as an option for Ubuntu. Much of the support necessary is already inherited from Debian. The remaining pieces include turning on SELinux when loading the kernel, logic for loading the SELinux policy on boot, and tailoring a default SELinux policy.

It is mandatory.

Rationale

SELinux provides security features that are extremely useful for locking down machines, particularly servers. It provides the ability to isolate processes into domains and create security policy defining what those domains can do. This capability enables users to enforce a large number of security goals, including limiting privilege, containing exploits, preventing privilege escalation, enforcing application security architecture, controlling information flow, and many others.

Use Cases

Design

Security Policy

The SELinux security policy should be fairly simple and modular. The idea here is to do everything we can to avoid breaking things on the system while at the same time adding some basic security controls. This would mean that potentially all daemons would be unconfined unless the user/admin elected to confine them.

Enabling SELinux

Make SELinux an install-time and/or run-time configuration option. We do not want to replace AppArmor, but rather offer users the choice of SELinux.

Implementation

This section should describe a plan of action (the "how") to implement the changes discussed. Could include subsections like:

UI Changes

Should cover changes required to the UI, or specific UI that is required to implement this

Code Changes

Code changes should include an overview of what needs to change, and in some cases even the specific details.


CategorySpec