FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > ArchLinux > ArchLinux User Repository

 
 
LinkBack Thread Tools
 
Old 01-05-2011, 08:39 PM
Thomas S Hatch
 
Default TU Application -Thomas Hatch

On Wed, Jan 5, 2011 at 2:33 PM, Martin Peres <martin.peres@free.fr> wrote:

> Le 05/01/2011 22:21, Thomas S Hatch a écrit :
>
> Oh, it is lower on my list, but I wanted to make SELinux more powerful in
>> Arch too, I am one of the VERY few who not only know how to handle
>> SELinux,
>> and likes to use it
>>
> You WHAT? You like to use it? You must be a masochist then
>
> I've been working around and on it for 2 years now and I wouldn't use it
> for any desktop (even though that's what I'm doing at work).
>
> Are you using the targeted mode or the strict one (I'm always using the
> strict mode)?
>

Well of course you have to move in and around it using the strict mode! Do
you know who developed that? The NSA, and don't tell them I said anything,
but I don't trust those guys

Personally, I would not use SELinux on a desktop, I think that SELinux is
best suited for machines with static configurations that servers content
often to the open internet. So with that said, SELinux is best for DNS
servers, Mail servers, routers etc.

And the strict policy is too strict, often it thinks that booting is a
security violation!

See what I mean though? Most people don't like it, personally, I do NOT
endorse turning it on by default, I think that that is a bit crazy.
 
Old 01-05-2011, 08:51 PM
Martin Peres
 
Default TU Application -Thomas Hatch

Le 05/01/2011 22:39, Thomas S Hatch a écrit :

On Wed, Jan 5, 2011 at 2:33 PM, Martin Peres<martin.peres@free.fr> wrote:


Le 05/01/2011 22:21, Thomas S Hatch a écrit :

Oh, it is lower on my list, but I wanted to make SELinux more powerful in

Arch too, I am one of the VERY few who not only know how to handle
SELinux,
and likes to use it


You WHAT? You like to use it? You must be a masochist then

I've been working around and on it for 2 years now and I wouldn't use it
for any desktop (even though that's what I'm doing at work).

Are you using the targeted mode or the strict one (I'm always using the
strict mode)?

Well of course you have to move in and around it using the strict mode! Do
you know who developed that? The NSA, and don't tell them I said anything,
but I don't trust those guys

Personally, I would not use SELinux on a desktop, I think that SELinux is
best suited for machines with static configurations that servers content
often to the open internet. So with that said, SELinux is best for DNS
servers, Mail servers, routers etc.

And the strict policy is too strict, often it thinks that booting is a
security violation!

See what I mean though? Most people don't like it, personally, I do NOT
endorse turning it on by default, I think that that is a bit crazy.
Oh sure, SELinux is simple on servers My researchs are about
dynamicaly loading policy modules according to the current user's task.
It works kind of well.


I've written some helpers to generate security policies automatically,
it makes you a working policy in less than 4 minutes (for firefox).
You're done in a little more than 10 minutes (test & audit).


Currently, I'm working on adding a memory access control in SELinux
(just for fun, we'll see how it works).


I know all of this is crazy, hence the reason I'm kind of fed up with
SELinux even though it is really powerful!


Anyway, I'm using Gentoo Hardened for my research. The only non-Arch OS
I'm using.
 
Old 01-05-2011, 08:54 PM
Thomas S Hatch
 
Default TU Application -Thomas Hatch

On Wed, Jan 5, 2011 at 2:51 PM, Martin Peres <martin.peres@free.fr> wrote:

> Le 05/01/2011 22:39, Thomas S Hatch a écrit :
>
> On Wed, Jan 5, 2011 at 2:33 PM, Martin Peres<martin.peres@free.fr>
>> wrote:
>>
>> Le 05/01/2011 22:21, Thomas S Hatch a écrit :
>>>
>>> Oh, it is lower on my list, but I wanted to make SELinux more powerful
>>> in
>>>
>>>> Arch too, I am one of the VERY few who not only know how to handle
>>>> SELinux,
>>>> and likes to use it
>>>>
>>>> You WHAT? You like to use it? You must be a masochist then
>>>
>>> I've been working around and on it for 2 years now and I wouldn't use it
>>> for any desktop (even though that's what I'm doing at work).
>>>
>>> Are you using the targeted mode or the strict one (I'm always using the
>>> strict mode)?
>>>
>> Well of course you have to move in and around it using the strict mode! Do
>> you know who developed that? The NSA, and don't tell them I said anything,
>> but I don't trust those guys
>>
>> Personally, I would not use SELinux on a desktop, I think that SELinux is
>> best suited for machines with static configurations that servers content
>> often to the open internet. So with that said, SELinux is best for DNS
>> servers, Mail servers, routers etc.
>>
>> And the strict policy is too strict, often it thinks that booting is a
>> security violation!
>>
>> See what I mean though? Most people don't like it, personally, I do NOT
>> endorse turning it on by default, I think that that is a bit crazy.
>>
> Oh sure, SELinux is simple on servers My researchs are about dynamicaly
> loading policy modules according to the current user's task. It works kind
> of well.
>
> I've written some helpers to generate security policies automatically, it
> makes you a working policy in less than 4 minutes (for firefox). You're done
> in a little more than 10 minutes (test & audit).
>
> Currently, I'm working on adding a memory access control in SELinux (just
> for fun, we'll see how it works).
>
> I know all of this is crazy, hence the reason I'm kind of fed up with
> SELinux even though it is really powerful!
>
> Anyway, I'm using Gentoo Hardened for my research. The only non-Arch OS I'm
> using.
>

Wow, this sounds like great stuff! I would love to get my hands on it, this
could make policy tuning a walk in the park!

Is this open source? Can I see your code? What is it written in?
 
Old 01-05-2011, 09:13 PM
Martin Peres
 
Default TU Application -Thomas Hatch

Le 05/01/2011 22:54, Thomas S Hatch a écrit :

On Wed, Jan 5, 2011 at 2:51 PM, Martin Peres<martin.peres@free.fr> wrote:


Le 05/01/2011 22:39, Thomas S Hatch a écrit :

On Wed, Jan 5, 2011 at 2:33 PM, Martin Peres<martin.peres@free.fr>

wrote:

Le 05/01/2011 22:21, Thomas S Hatch a écrit :

Oh, it is lower on my list, but I wanted to make SELinux more powerful
in


Arch too, I am one of the VERY few who not only know how to handle
SELinux,
and likes to use it

You WHAT? You like to use it? You must be a masochist then

I've been working around and on it for 2 years now and I wouldn't use it
for any desktop (even though that's what I'm doing at work).

Are you using the targeted mode or the strict one (I'm always using the
strict mode)?


Well of course you have to move in and around it using the strict mode! Do
you know who developed that? The NSA, and don't tell them I said anything,
but I don't trust those guys

Personally, I would not use SELinux on a desktop, I think that SELinux is
best suited for machines with static configurations that servers content
often to the open internet. So with that said, SELinux is best for DNS
servers, Mail servers, routers etc.

And the strict policy is too strict, often it thinks that booting is a
security violation!

See what I mean though? Most people don't like it, personally, I do NOT
endorse turning it on by default, I think that that is a bit crazy.


Oh sure, SELinux is simple on servers My researchs are about dynamicaly
loading policy modules according to the current user's task. It works kind
of well.

I've written some helpers to generate security policies automatically, it
makes you a working policy in less than 4 minutes (for firefox). You're done
in a little more than 10 minutes (test& audit).

Currently, I'm working on adding a memory access control in SELinux (just
for fun, we'll see how it works).

I know all of this is crazy, hence the reason I'm kind of fed up with
SELinux even though it is really powerful!

Anyway, I'm using Gentoo Hardened for my research. The only non-Arch OS I'm
using.


Wow, this sounds like great stuff! I would love to get my hands on it, this
could make policy tuning a walk in the park!

Is this open source? Can I see your code? What is it written in?
The automated policy creation is in Python. The other project that
detects the user's activity and changes the SELinux modules of an
application is written in C/C++/Qt, there are also patches needed for
Firefox and claws-mail. The basic idea is defined here:
http://mupuf.org/blog/article/39/ (read the article). I've done at least
two major rewrites since then to add features and improve the
configuration files.


I'll ask my employers (my teachers/researchers I'm working with) if they
are ok with open sourcing the python auditer. The other research project
will be released for sure but I'm still working on it and it is not
ready for a public release yet)


There is still a lot of polishing to be done and I still have to write a
paper on it to show the problem of automated policy creation and labelling.


If you want more info, please send me a mail I'll keep you updated on
this!


Good luck with your application

Martin
 
Old 01-05-2011, 09:19 PM
Thomas S Hatch
 
Default TU Application -Thomas Hatch

On Wed, Jan 5, 2011 at 3:13 PM, Martin Peres <martin.peres@free.fr> wrote:

> Le 05/01/2011 22:54, Thomas S Hatch a écrit :
>
> On Wed, Jan 5, 2011 at 2:51 PM, Martin Peres<martin.peres@free.fr>
>> wrote:
>>
>> Le 05/01/2011 22:39, Thomas S Hatch a écrit :
>>>
>>> On Wed, Jan 5, 2011 at 2:33 PM, Martin Peres<martin.peres@free.fr>
>>>
>>>> wrote:
>>>>
>>>> Le 05/01/2011 22:21, Thomas S Hatch a écrit :
>>>>
>>>>> Oh, it is lower on my list, but I wanted to make SELinux more powerful
>>>>> in
>>>>>
>>>>> Arch too, I am one of the VERY few who not only know how to handle
>>>>>> SELinux,
>>>>>> and likes to use it
>>>>>>
>>>>>> You WHAT? You like to use it? You must be a masochist then
>>>>>>
>>>>> I've been working around and on it for 2 years now and I wouldn't use
>>>>> it
>>>>> for any desktop (even though that's what I'm doing at work).
>>>>>
>>>>> Are you using the targeted mode or the strict one (I'm always using the
>>>>> strict mode)?
>>>>>
>>>>> Well of course you have to move in and around it using the strict
>>>> mode! Do
>>>> you know who developed that? The NSA, and don't tell them I said
>>>> anything,
>>>> but I don't trust those guys
>>>>
>>>> Personally, I would not use SELinux on a desktop, I think that SELinux
>>>> is
>>>> best suited for machines with static configurations that servers content
>>>> often to the open internet. So with that said, SELinux is best for DNS
>>>> servers, Mail servers, routers etc.
>>>>
>>>> And the strict policy is too strict, often it thinks that booting is a
>>>> security violation!
>>>>
>>>> See what I mean though? Most people don't like it, personally, I do NOT
>>>> endorse turning it on by default, I think that that is a bit crazy.
>>>>
>>>> Oh sure, SELinux is simple on servers My researchs are about
>>> dynamicaly
>>> loading policy modules according to the current user's task. It works
>>> kind
>>> of well.
>>>
>>> I've written some helpers to generate security policies automatically, it
>>> makes you a working policy in less than 4 minutes (for firefox). You're
>>> done
>>> in a little more than 10 minutes (test& audit).
>>>
>>> Currently, I'm working on adding a memory access control in SELinux (just
>>> for fun, we'll see how it works).
>>>
>>> I know all of this is crazy, hence the reason I'm kind of fed up with
>>> SELinux even though it is really powerful!
>>>
>>> Anyway, I'm using Gentoo Hardened for my research. The only non-Arch OS
>>> I'm
>>> using.
>>>
>>> Wow, this sounds like great stuff! I would love to get my hands on it,
>> this
>> could make policy tuning a walk in the park!
>>
>> Is this open source? Can I see your code? What is it written in?
>>
> The automated policy creation is in Python. The other project that detects
> the user's activity and changes the SELinux modules of an application is
> written in C/C++/Qt, there are also patches needed for Firefox and
> claws-mail. The basic idea is defined here:
> http://mupuf.org/blog/article/39/ (read the article). I've done at least
> two major rewrites since then to add features and improve the configuration
> files.
>
> I'll ask my employers (my teachers/researchers I'm working with) if they
> are ok with open sourcing the python auditer. The other research project
> will be released for sure but I'm still working on it and it is not ready
> for a public release yet)
>
> There is still a lot of polishing to be done and I still have to write a
> paper on it to show the problem of automated policy creation and labelling.
>
> If you want more info, please send me a mail I'll keep you updated on
> this!
>
> Good luck with your application
>
> Martin
>

Thanks this sounds interesting, I will shoot you an email off list
 
Old 01-05-2011, 10:15 PM
Ng Oon-Ee
 
Default TU Application -Thomas Hatch

On Wed, 2011-01-05 at 12:41 -0700, Thomas S Hatch wrote:
> Thanks Xyne
>
> On Wed, Jan 5, 2011 at 12:40 PM, Xyne <xyne@archlinux.ca> wrote:
>
> > Thomas S Hatch wrote:
> >
> > > Hello, ArchLinux Tus
> > >
> > > Xyne has agreed to sponsor me as a TU. I am very excited at the potential
> > > opportunity to become more directly involved with the development of
> > > ArchLinux.
> >
> > /snip
> >
> > I have indeed agreed to sponsor Thomas, so here I am sponsoring.
> > Let the discussion period begin!
> >

A top-poster! Burn him!
 
Old 01-05-2011, 10:20 PM
Thomas S Hatch
 
Default TU Application -Thomas Hatch

2011/1/5 Ng Oon-Ee <ngoonee@gmail.com>

> On Wed, 2011-01-05 at 12:41 -0700, Thomas S Hatch wrote:
> > Thanks Xyne
> >
> > On Wed, Jan 5, 2011 at 12:40 PM, Xyne <xyne@archlinux.ca> wrote:
> >
> > > Thomas S Hatch wrote:
> > >
> > > > Hello, ArchLinux Tus
> > > >
> > > > Xyne has agreed to sponsor me as a TU. I am very excited at the
> potential
> > > > opportunity to become more directly involved with the development of
> > > > ArchLinux.
> > >
> > > /snip
> > >
> > > I have indeed agreed to sponsor Thomas, so here I am sponsoring.
> > > Let the discussion period begin!
> > >
>
> A top-poster! Burn him!
>
>
Aww crap, I used my phone again to reply while I was at lunch, I REALLY need
to fix that, stupid friggin phone.

Usually I would call to burn people for stuff like this, but I have lived
long enough to know that we all make the little mistakes, and we all have to
use bad email clients sometimes
 
Old 01-05-2011, 10:57 PM
Christopher Rogers
 
Default TU Application -Thomas Hatch

I was working on something that is like quarters. I called it absbb (or ABS
Build Bot). I was trying to make a build like
slitaz<http://www.slitaz.org/>has for there distro but for arch. I
used makerepo to help with making the
packages once in chroot. I have not looked at it in a few months since i was
busy trying to make slitaz better and updated.

https://github.com/godane/devtools-pkgbuild/tree/archbb

Also there is archbb script that was just my attempt to combined all of
devtools into one big script. That didn't get any auto build bot feature
into it.

I hope this helps. Also +1 for TU.

PS I started releasing my livecd again at http://godane.wordpress.com.
 
Old 01-05-2011, 11:07 PM
Thomas S Hatch
 
Default TU Application -Thomas Hatch

On Wed, Jan 5, 2011 at 4:57 PM, Christopher Rogers
<slaxemulator@gmail.com>wrote:

> I was working on something that is like quarters. I called it absbb (or ABS
> Build Bot). I was trying to make a build like
> slitaz<http://www.slitaz.org/>has for there distro but for arch. I
> used makerepo to help with making the
> packages once in chroot. I have not looked at it in a few months since i
> was
> busy trying to make slitaz better and updated.
>
> https://github.com/godane/devtools-pkgbuild/tree/archbb
>
> Also there is archbb script that was just my attempt to combined all of
> devtools into one big script. That didn't get any auto build bot feature
> into it.
>
> I hope this helps. Also +1 for TU.
>
> PS I started releasing my livecd again at http://godane.wordpress.com.
>


Well, good ideas are thought of twice

I am making quarters in python, also I wanted to make it so the the builds
could be distributed, it would be difficult and impractical to have a
continuous build system rebuilding all packages over and over again on just
one box.

I have just been trying to figure out how to make it simple enough for arch,
so no databases, communication systems are all built in so no setting up
crazy deps etc.

But I will look at your absbb, I will most likely be able to garner some
ideas!

Thanks for the vote!
 
Old 01-06-2011, 02:39 AM
Kaiting Chen
 
Default TU Application -Thomas Hatch

On Wed, Jan 5, 2011 at 7:07 PM, Thomas S Hatch <thatch45@gmail.com> wrote:

> On Wed, Jan 5, 2011 at 4:57 PM, Christopher Rogers
> <slaxemulator@gmail.com>wrote:
>
> > I was working on something that is like quarters. I called it absbb (or
> ABS
> > Build Bot). I was trying to make a build like
> > slitaz<http://www.slitaz.org/>has for there distro but for arch. I
> > used makerepo to help with making the
> > packages once in chroot. I have not looked at it in a few months since i
> > was
> > busy trying to make slitaz better and updated.
> >
> > https://github.com/godane/devtools-pkgbuild/tree/archbb
> >
> > Also there is archbb script that was just my attempt to combined all of
> > devtools into one big script. That didn't get any auto build bot feature
> > into it.
> >
> > I hope this helps. Also +1 for TU.
> >
> > PS I started releasing my livecd again at http://godane.wordpress.com.
> >
>
>
> Well, good ideas are thought of twice
>
> I am making quarters in python, also I wanted to make it so the the builds
> could be distributed, it would be difficult and impractical to have a
> continuous build system rebuilding all packages over and over again on just
> one box.
>
> I have just been trying to figure out how to make it simple enough for
> arch,
> so no databases, communication systems are all built in so no setting up
> crazy deps etc.
>
> But I will look at your absbb, I will most likely be able to garner some
> ideas!
>
> Thanks for the vote!
>

WTF is everyone working on this? Daniel Mills admins on my server and I know
he's been working on a continuous build system for parts of the AUR. You all
should get together for lunch or something. --Kaiting.

--
Kiwis and Limes: http://kaitocracy.blogspot.com/
 

Thread Tools




All times are GMT. The time now is 07:30 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org