HardySELinux
HardySELinux
Launchpad Entry: selinux-support
Created: 2007-10-25
Contributors: ChadSellers
Packages affected: selinux-policy-*, policycoreutils, initramfs-tools
Summary
Provide SELinux as an option for Ubuntu. Much of the support necessary is already inherited from Debian. The remaining pieces include turning on SELinux when loading the kernel, logic for loading the SELinux policy on boot, and tailoring a default SELinux policy.
It is mandatory.
Rationale
SELinux provides security features that are extremely useful for locking down machines, particularly servers. It provides the ability to isolate processes into domains and create security policy defining what those domains can do. This capability enables users to enforce a large number of security goals, including limiting privilege, containing exploits, preventing privilege escalation, enforcing application security architecture, controlling information flow, and many others.
Use Cases
Design
Security Policy
The SELinux security policy should be fairly simple and modular. The idea here is to do everything we can to avoid breaking things on the system while at the same time adding some basic security controls. This would mean that potentially all daemons would be unconfined unless the user/admin elected to confine them.
Enabling SELinux
Make SELinux an install-time and/or run-time configuration option. We do not want to replace AppArmor, but rather offer users the choice of SELinux.
Implementation
This section should describe a plan of action (the "how") to implement the changes discussed. Could include subsections like:
UI Changes
Should cover changes required to the UI, or specific UI that is required to implement this
Code Changes
Code changes should include an overview of what needs to change, and in some cases even the specific details.