I finally bought a netbook and since I am intending to use it with some work stuff (meaning data that requires confidentiality and integrity) I started to tuning my MeeGo to make it more protected before place my data
To make it more protected I think that it is interesting to confine some, let’s say, “untrusted applications”. Which basically means more restrictive control over the processes. Usually I use GRSecurity for that but this time I am using SELinux. Since I am dealing with RPM and Fedora use to be a reference (at least for me) in the support to the SELinux, most of the specs files were copied from Fedora including the policy. The policy should be well refined to fit my needs, but it will be the subject of another post.
Supporting SELinux involves to support not only the kernel part of SELinux (kernel-selinux-netbook), but to support a huge number of packages as you can see bellow:
Part of these packages are not needed to make the SELinux work, but they are used by auxiliary applications which make SELinux easy to deal with. As you can see, these packages provide dependencies on Ruby, Perl and Python for example. I think we just need the python dependency. The big difference between my packages and Fedora’s packages is the fact that I refuse myself to port the Java SELinux utilities.
All the support to that packages (and also the devel version of them) are available at my MeeGo repo at:
To add SELinux to your image, you just need to add to your .ks file, the following repo:
repo --name=security --baseurl=http://meego.zimmerle.org/repo/security/packages/
And you also need to place the SELinux package group in the package section:
An example of a kick start file can be downloaded here: http://meego.zimmerle.org/repo/security/build/meego-netbook-chromium-ia32-security-1.0.20100614.1459.ks
You can also download a SELinux MeeGo image at: http://meego.zimmerle.org/repo/security/build/
Here goes a picture of my netbook running selinux kernel:
The policy is not loaded automatically after the boot and the file system is not labeled yet. To load the policy just use load_policy tool.