How to install AppArmor on Puppy?

For discussions about security.
Post Reply
Message
Author
pubbyhove
Posts: 13
Joined: Sat 02 Apr 2011, 17:48

How to install AppArmor on Puppy?

#1 Post by pubbyhove »

could you help me?
Last edited by pubbyhove on Thu 05 May 2011, 15:33, edited 2 times in total.

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#2 Post by Flash »

Help what? What problem do you think it will solve?

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#3 Post by nooby »

Flash you can read here :)
http://selinux.sourceforge.net/about.php3

quote
This site is part of the SELinux for Distributions project. The project is hosted at SourceForge. The project summary page is at http://sf.net/projects/selinux.

The overarching goals of this project are to

* Develop a community around SELinux that can develop the wide range of features needed to fully and easily integrate SELinux into distributions.
* Increase usability of SELinux

Specifically, we plan to

* Document how to use SELinux in distributions
* Organize and package the components of an SELinux-based system for use in a variety of distributions
* Provide additional help in configuring policies to support specific distributions

About SELinux

SELinux was created by the National Security Agency as an example of how mandatory access controls that can confine the actions of any process, including a superuser process, can be added into Linux. The focus of that work has not been on system assurance or other security features such as security auditing, although these elements are also important for a secure system.

The security mechanisms implemented in the system provide flexible support for a wide range of security policies. They make it possible to configure the system to meet a wide range of security requirements. The release includes a general-purpose security policy configuration designed to meet a number of security objectives as an example of how this may be done. The flexibility of the system allows the policy to be modified and extended to customize the security policy as required for any given installation.

Although NSA affiliates participate in some aspects of this project to pursue NSA SELinux research goals, the project and its products are not endorsed or evaluated by NSA. The software available from this project is subject to the same legal disclaimers as the original NSA SELinux prototype. Although NSA affiliates may have participated in this project and undertaken or suggested some project work, this project is not sponsored by NSA and nothing here constitutes a request for proposal or a commitment by the National Security Agency to anyone for the procurement of equipment, services, or any obligation. The National Security Agency reserves the right to not pursue this project or any task in this project, and to discontinue, at any time, participation in the project or work in progress by any of its employees and contractors.

/quote

NSA that sounds scary? Them putting in back doors maybe. Tin hat on.
I use Google Search on Puppy Forum
not an ideal solution though

pubbyhove
Posts: 13
Joined: Sat 02 Apr 2011, 17:48

#4 Post by pubbyhove »

nooby wrote:Flash you can read here :)
http://selinux.sourceforge.net/about.php3

quote
This site is part of the SELinux for Distributions project. The project is hosted at SourceForge. The project summary page is at http://sf.net/projects/selinux.

The overarching goals of this project are to

* Develop a community around SELinux that can develop the wide range of features needed to fully and easily integrate SELinux into distributions.
* Increase usability of SELinux

Specifically, we plan to

* Document how to use SELinux in distributions
* Organize and package the components of an SELinux-based system for use in a variety of distributions
* Provide additional help in configuring policies to support specific distributions

About SELinux

SELinux was created by the National Security Agency as an example of how mandatory access controls that can confine the actions of any process, including a superuser process, can be added into Linux. The focus of that work has not been on system assurance or other security features such as security auditing, although these elements are also important for a secure system.

The security mechanisms implemented in the system provide flexible support for a wide range of security policies. They make it possible to configure the system to meet a wide range of security requirements. The release includes a general-purpose security policy configuration designed to meet a number of security objectives as an example of how this may be done. The flexibility of the system allows the policy to be modified and extended to customize the security policy as required for any given installation.

Although NSA affiliates participate in some aspects of this project to pursue NSA SELinux research goals, the project and its products are not endorsed or evaluated by NSA. The software available from this project is subject to the same legal disclaimers as the original NSA SELinux prototype. Although NSA affiliates may have participated in this project and undertaken or suggested some project work, this project is not sponsored by NSA and nothing here constitutes a request for proposal or a commitment by the National Security Agency to anyone for the procurement of equipment, services, or any obligation. The National Security Agency reserves the right to not pursue this project or any task in this project, and to discontinue, at any time, participation in the project or work in progress by any of its employees and contractors.

/quote

NSA that sounds scary? Them putting in back doors maybe. Tin hat on.
thanks a lot for your attention~ I'm really touched.
maybe your are right and I will take it into my considering range~
but I have to say that :
selinux has been successfully support in ubuntu, redhat ,and other linux system.
maybe this time they (NSA) done something good.

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#5 Post by Flash »

Puppy originated as a live CD, which meant it had no need for the access control apparatus of a multiuser OS. Nevertheless, many people have installed and used it as a multiuser OS. I guess its speed, ease of use and small footprint make it attractive. Anyway, it sounds to me like adding SELinux to Puppy would result in something like the Frankenstein's monster of operating systems. Perhaps the kludge could be made to work, but wouldn't it make more sense to start with a multiuser Linux distro?

Pubbyhove, you didn't answer my question. Is there a specific problem you're trying to solve?

User avatar
Bernie_by_the_Sea
Posts: 328
Joined: Wed 09 Feb 2011, 18:14

#6 Post by Bernie_by_the_Sea »

A Linux kernel integrating SELinux enforces mandatory access control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs. This reduces or eliminates the ability of these programs and daemons to cause harm when compromised (via buffer overflows or misconfigurations, for example). This confinement mechanism operates independently of the traditional Linux access control mechanisms. It has no concept of a "root" super-user, and does not share the well-known shortcomings of the traditional Linux security mechanisms (such as a dependence on setuid/setgid binaries).http://en.wikipedia.org/wiki/Security-Enhanced_Linux
No concept of a "root" super-user does not sound compatible with the Puppy philosophy.

Also in that article:
(SELinux has been integrated into version 2.6 series of the Linux kernel, and separate patches are now unnecessary; the above is a historical quote.)
Is this all 2.6 series? I know it's in some versions of Fedora and Ubuntu but all 2.6 kernels?

A sandbox or virtual machine does everything SELinux can do. Join PPP, Prevent Puppy Paranoia.

pubbyhove
Posts: 13
Joined: Sat 02 Apr 2011, 17:48

thanks for your attention

#7 Post by pubbyhove »

No concept of a "root" super-user does not sound compatible with the Puppy philosophy.

that just mean the root account won't get all access to the system,
let me see, I can't completely explain it ~
you should learn from the homepage.


Is this all 2.6 series? I know it's in some versions of Fedora and Ubuntu but all 2.6 kernels?

actually selinux has been put in linux kernel as a necessary part since 2.6,
when you complie the kernel you can see it in /security /selinux.

A sandbox or virtual machine does everything SELinux can do. Join PPP, Prevent Puppy Paranoia.[/quote]

yeah I 'm a paranoia.......
if anyone could help me bulid selinux on puppy ,
I would pay him $100 dollars.
will I?

pubbyhove
Posts: 13
Joined: Sat 02 Apr 2011, 17:48

thanks

#8 Post by pubbyhove »

Flash wrote:Puppy originated as a live CD, which meant it had no need for the access control apparatus of a multiuser OS. Nevertheless, many people have installed and used it as a multiuser OS. I guess its speed, ease of use and small footprint make it attractive. Anyway, it sounds to me like adding SELinux to Puppy would result in something like the Frankenstein's monster of operating systems. Perhaps the kludge could be made to work, but wouldn't it make more sense to start with a multiuser Linux distro?

Pubbyhove, you didn't answer my question. Is there a specific problem you're trying to solve?
actually it not only about multiuser,
i have never think about change puppy to be a multiuser system.

I 'm doing a project for my personal interest,i called it "seveket".
yeah, I 'm not carrying owls to Athens.

User avatar
Bernie_by_the_Sea
Posts: 328
Joined: Wed 09 Feb 2011, 18:14

#9 Post by Bernie_by_the_Sea »

It's not that simple or easy to get SELinux to work in any version of Puppy. A number of Puppy People have tried in the past few years with limited success. Step one is to get Python working flawlessly. Step two is to try to get SELinux to work with your flawless Python. I spent a few hours the last couple of days trying to get SELinux to work in Wary but I don't think I'm even close.

It's really not worth spending much time on since anything SELinux can do can be done in other ways in Puppy, in Linux and even in Windows. You never have said what you're trying to do security-wise. What "security needs" do you have? SELinux's security philosophy is the direct opposite of Puppy's philosophy and I doubt that it's wise to try to combine the two. Why would Puppy want to support SELinux? It makes no sense. SELinux would only cripple Puppy.

AppArmor has the same objective as SELinux and is better developed, maintained and supported. Maybe you should take a look at it.

pubbyhove
Posts: 13
Joined: Sat 02 Apr 2011, 17:48

thanks very much

#10 Post by pubbyhove »

Bernie_by_the_Sea wrote:
AppArmor has the same objective as SELinux and is better developed, maintained and supported. Maybe you should take a look at it.
thank you very much!maybe i should think twice~
could you tell me something more about AppArmor ?
Is it easy to install that on puppy?

User avatar
Bernie_by_the_Sea
Posts: 328
Joined: Wed 09 Feb 2011, 18:14

#11 Post by Bernie_by_the_Sea »

http://www.novell.com/linux/security/ap ... rview.html

AppArmor is not easy to install in Puppy. You have never yet said what you're trying to accomplish. Both SELinux and AppArmor are for multiuser systems. They are used mostly by large corporations or the government. They do little or nothing for a home user.

pubbyhove
Posts: 13
Joined: Sat 02 Apr 2011, 17:48

millions of thanks

#12 Post by pubbyhove »

Bernie_by_the_Sea wrote:http://www.novell.com/linux/security/ap ... rview.html

AppArmor is not easy to install in Puppy. You have never yet said what you're trying to accomplish. Both SELinux and AppArmor are for multiuser systems. They are used mostly by large corporations or the government. They do little or nothing for a home user.
thank you very much。

I have said before,
I want to develop puppy as a security for my business.
for example ,
I can carry it when I'm traveling,on a business trip instead of carrying of a
stupid notebook.

I'm not quite sure that puppy could security my data.
I know it will save all the data by MD5,

but i'm worry about that when I 'm doing some important task
like dealing with my work, online shopping,
will puppy give me enough security support?


it's my personal vision,thank you!

pubbyhove
Posts: 13
Joined: Sat 02 Apr 2011, 17:48

#13 Post by pubbyhove »

nooby wrote:Flash you can read here :)
http://selinux.sourceforge.net/about.php3

quote
This site is part of the SELinux for Distributions project. The project is hosted at SourceForge. The project summary page is at http://sf.net/projects/selinux.


/quote

NSA that sounds scary? Them putting in back doors maybe. Tin hat on.
http://www.murga-linux.com/puppy/viewto ... 143#520143

dear nooby,
have you see the article there?
http://www.murga-linux.com/puppy/viewto ... 143#520143

I have read it just now,and I believe
if puppy support selinux or AppArmor
will help the issue a lot~

you can see the author'need also call for puppy to have
"
*python
*wxpython
*some other python libs "

which is all need for selinux?

Post Reply