On Tue, 18 Apr 2006 23:38:33 +0200, Kurt Garloff said:
> AppArmor is easy. Everyone with a little background in Un*x can
> understand what it does and how it needs to be configured.
> Eventually, most sysadmins of the world can configure it correctly
> and thus make their systems more secure.
Having spent a quarter century in which cleaning up after other sysadmins
has played a major role, I think you're vastly overstating the average clue level
out there.
Most of the readers of this list can (hopefully) snarf a linux-2.foo.tar.bz2
and end up with a bootable kernel on their own. The *actual* average sysadmin
out there has trouble getting something like 'up2date' (or the Ubuntu equivalent)
to update an already vendor-compiled kernel.
Experience has shown that if you make the sysadmin configure it using anything
more than 1 or 2 very broad knobs ("fairly secure, very secure, tinfoil-hat secure"),
it *very* quickly becomes a way for them to create security holes in their system,
and doesn't add any actual security.
And the instant you abstract it all behind a point-and-drool GUI with a choice
of 3 buttons to click, it doesn't matter anymore, because the distro vendor
will be doing all the heavy lifting.
Attachment:
pgpEX0Lozq4JP.pgp
Description: PGP signature
- References:
- Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
- From: Christoph Hellwig <[email protected]>
- Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
- From: Gerrit Huizenga <[email protected]>
- Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
- From: Christoph Hellwig <[email protected]>
- Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
- From: Kurt Garloff <[email protected]>
- Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
- Prev by Date: Very strange RAID failure
- Next by Date: Linux 2.6.16.9
- Previous by thread: Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
- Next by thread: Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
- Index(es):
 |