Re: [AppArmor 00/44] AppArmor security module overview

Adrian Bunk <[email protected]> writes:

> On Tue, Jun 26, 2007 at 07:47:00PM -0700, Andrew Morton wrote:
>> On Tue, 26 Jun 2007 19:24:03 -0700 John Johansen <[email protected]> wrote:
>> 
>> > > 
>> > > so...  where do we stand with this?  Fundamental, irreconcilable
>> > > differences over the use of pathname-based security?
>> > > 
>> > There certainly seems to be some differences of opinion over the use
>> > of pathname-based-security.
>> 
>> I was refreshed to have not been cc'ed on a lkml thread for once.  I guess
>> it couldn't last.
>> 
>> Do you agree with the "irreconcilable" part?  I think I do.
>> 
>> I suspect that we're at the stage of having to decide between
>> 
>> a) set aside the technical issues and grudgingly merge this stuff as a
>>    service to Suse and to their users (both of which entities are very
>>    important to us) and leave it all as an object lesson in
>>    how-not-to-develop-kernel-features.
>> 
>>    Minimisation of the impact on the rest of the kernel is of course
>>    very important here.
>> 
>> versus
>> 
>> b) leave it out and require that Suse wear the permanent cost and
>>    quality impact of maintaining it out-of-tree.  It will still be an
>>    object lesson in how-not-to-develop-kernel-features.
>>...
>
> versus
>
> c) if [1] AppArmor is considered to be something that wouldn't 
>    be merged if it wasn't already widely deployed by Suse: leave it out, 
>    work on an ideal solution [2], and let Suse wear the one-time cost
>    of migrating their users to the ideal solution
>
> One important point is that if AppArmor gets merged there will be much 
> more distribution support for it, and many people on !Suse will start 
> using it.
>
> I'm not claiming to understand the technical details, but from both 
> slightly reading over the previous discussions and the "What are the 
> advantages of AppArmor over SELinux?" section in the AppArmor FAQ [3] my 
> impression is that a main advantage of AppArmor are more user friendly 
> userspace tools. Therefore, if [1] AppArmor is considered technically 
> inferior to SELinux, it might still become more popular than SELinux 
> simply because it's easier to use - and although it's technically 
> inferior.


A couple of random thoughts to mix up this discussion.

Follow-Ups:
- Re: [AppArmor 00/44] AppArmor security module overview
  - From: Casey Schaufler <[email protected]>

Prev by Date: [info] What's in Jeff's libata-dev inbox?
Next by Date: Re: blink driver power saving
Previous by thread: Re: Concerning a post that you made about expandable anonymous shared mappings
Next by thread: Re: [AppArmor 00/44] AppArmor security module overview
Index(es):
- Date
- Thread

[Index of Archives] [Kernel Newbies] [Netfilter] [Bugtraq] [Photo] [Stuff] [Gimp] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Video 4 Linux] [Linux for the blind] [Linux Resources]