Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sat, 22 Apr 2006 13:52:57 PDT, Ken Brush said:
> That sysadmins are not sophisticated enough to properly configure the
> MAC systems AppArmor and SELinux effectively?

We know they're usually not.  There are a *few* that have a clue, but most
don't.  And as the Linux market grows, we're going to have more and more Linux
sysadmins with less than a year's experience...

>                                                Or that people who use
> AppArmor are not likely to put careful thought into the policies that
> they use?

They're not likely to put careful thought into it, *AND* that saying things
like "AppArmor is so *simple* to configure" only makes things worse - this
encourages unqualified people to create broken policy configurations.

I have no problem with "handles a lot of the grunt work so an
expert can write policy quicker" - there's people working on policy
editors for SELinux that address this as well.  It is however a dis-service
to conflate this with "makes it easy for non-experts to write policy".  Yes,
they may be able to "write policy" easily.  The question is whether it
enables then to "write *correct* policy" (easily, or at all).....

Attachment: pgps7G5y7um7d.pgp
Description: PGP signature

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux