On Mon, 2006-04-24 at 07:45 -0700, David Lang wrote:
> One key difference between SELinux and AppArmor is that AA is _not_
> designed to protect against the actions of root, it's designed to block
> attacks that would let someone become root.
This doesn't match the documentation or implementation AFAICS. It
specifically controls capabilities to limit root processes, and its lack
of complete mediation and use of ambiguous identifiers leaves open a
variety of paths to escalation of access.
> becouse of this strategy it's far simpler to configure becouse you do not
> have to do all the work to control root. This also limits what it can
> defend against, and so it's not 'perfect security' (and after all there is
> only one way to get 'perfect security'
> http://www.ranum.com/security/computer_security/papers/a1-firewall/ ), but
> AA is still a useful tool.
>
> the 'hard shell, soft center' approach isn't as secure as 'full
> hardening' (assuming that both are properly implemented), but the fact
> that it's far easier to understand and configure the hard shell means that
> it's also far more likly to be implemented properly.
>
> remember that it's not really a matter of people deciding not to write
> SELinux policies and instead do AA, it's a matter of people deciding to
> use AA instead of doing nothing.
Is it? Or it a matter of people deciding to use AA and rely on it
versus e.g. using a conventional jail-style or virtualization mechanism
ala VServer or OpenVZ?
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]