On Mon, 24 Apr 2006, Serge E. Hallyn wrote:
Quoting Alan Cox ([email protected]):
Thus this sort of stuff needs to be taken seriously. Can SuSE provide a
good reliable policy for AppArmour to people, can Red Hat do the same
with SELinux ?
That's a little more than half the question. The other 40% is can users
write good policies.
I think it will, and already has, become easier for selinux. But in
this case I wonder whether some sort of contest could be beneficial. We
all know of Russel Coker's open root selinux play machines. That's a
powerful statement. Things I'd like to see in addition are
One key difference between SELinux and AppArmor is that AA is _not_
designed to protect against the actions of root, it's designed to block
attacks that would let someone become root.
becouse of this strategy it's far simpler to configure becouse you do not
have to do all the work to control root. This also limits what it can
defend against, and so it's not 'perfect security' (and after all there is
only one way to get 'perfect security'
http://www.ranum.com/security/computer_security/papers/a1-firewall/ ), but
AA is still a useful tool.
the 'hard shell, soft center' approach isn't as secure as 'full
hardening' (assuming that both are properly implemented), but the fact
that it's far easier to understand and configure the hard shell means that
it's also far more likly to be implemented properly.
remember that it's not really a matter of people deciding not to write
SELinux policies and instead do AA, it's a matter of people deciding to
use AA instead of doing nothing.
David Lang
--
There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies.
-- C.A.R. Hoare
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]