Future of SELinux Policy Editor(seedit)

SELinux Policy Editor English

My thought after SELinux Symposium

SELinux Symposium was great place to know what's happening to SELinux. I learned a lot of progress has been made in one year. It was the biggest year since SELinux was released.

And I thought I have to do well with developers in NSA's ml. I am thinking I have to change direction of seedit. Currently, to use seedit, whole policy should be replaced to Simplified Policy. However, lots of works are done to mainline policy, so I want to use them. As I talked in symposium, "appendable simplified policy(simplified poilcy that is appendable to base.pp)" would be important.

On the other hand, I heared from some people, path named configuration has flaw that can not be covered by implementation. I understood it is correct. However, I will not quit working on whole simplified policy(that uses path-name based configuration!). I think SELinux has ability that can provide the highest security level among OSS secure OS. However, many Japanese users want more "casual" security. In long term, we have to educate them to use label based Secure OS(such as SELinux), but, "now" many users want more casual one. Before completing education, they will escape to other alternatives(such as AppArmor+SuSE), or disable SELinux.

I want to let them use SELinux. To this purpose, seedit's Simplified Policy is still effective.

My presentation slide at SELinux Symposium

My presentation slide at SELinux Symposium is available below.
http://seedit.sourceforge.net/presentations/2006selinuxsymposium.pdf
If you have question about my tool, feel free to contact me(ynakam atmark gwu edu).
And the latest version(1.3.3) is available at http://seedit.sourceforge.net/

Plan of seedit

There will be two directions for seedit.
One is Full simpilfied policy(current version), the other is appendable simplified policy

1) Full simplified policy(existing version)

The desire for alternative to SELinux is still big in Japan.
Many feel SELinux is too complicated.
So, the work to simplify whole SELinux policy is still needed for Japanese users.
Otherwise, they might escape to other secure OS.
I have to do following...

  • Develop New GUI
    • GUI is very effective to promote to media and beginner.
  • Prepare simpilfied policy for FC5

2) Appendable(partly) simplified policy

This is new one. It will work like following.

  • Converter's input is "httpd_t.a(This is written in syntax of Simplified Policy)"
  • Converter converts source policy module(httpd.te, httpd.fc, httpd.if)
  • Policy package is generated(httpd.pp) and installable by semodule -i httpd.pp

To accomplish, following will be necessary.

  • New converter
  • SLIDE extention
  • GUI

This feature will be more friendly to SELinux developpers,
because it can co-exist with existing technology.

In addition, justification of permission removal/integration have to be made, after that it might be suggested to core developers.

There are really a lots to do!!