Re: [Tails-dev] Mandatory Access Control, SELinux and Tails

Delete this message

Reply to this message
Author: Ague Mill
Date:  
To: The Tails public development discussion list
Subject: Re: [Tails-dev] Mandatory Access Control, SELinux and Tails
On Fri, Jul 27, 2012 at 08:53:01PM +0200, Andreas Kuckartz wrote:
> Is anybody currently working on adding Mandatory Access Control to Tails?


Glad to see that you are interested in that area of Tails! :)

intrigeri is working on AppArmor. He has done quite some work already to
have the basic stuff done for Debian Wheezy. This is upstream work, so
it is documented on the Debian wiki: <https://wiki.debian.org/AppArmor>
Help is indeed welcome: there are many packages used in Tails that still
miss profiles.

> I would suggest to start with SELinux in "permissive" mode and
> incrementally adapt the policy so that in a later stage - when no
> "access denied" warnings occur while using Tails - "enforcing" mode can
> be switched on.


Well, Tails does not have that many contributors. Would you do the
initial work and maintain it afterward?

One of the good side of AppArmor is that it is fairly easy to understand
compared to SELinux, so I feel it will be easy to find maintainers.
Also, as Ubuntu is also pushing AppArmor, there is a good chance
to leverage a good amount of that work upstream.

> The main effect of that change probably would be on the build process
> because the initial file labeling takes some time and requires a reboot.


Is it compatible with SquashFS?

--
Ague