On Fri, 2007-06-15 at 14:58 +0530, Rahul Sundaram wrote: > Ralf Corsepius wrote: > > On Thu, 2007-06-14 at 16:54 -0400, Tom Horsley wrote: > >> On Thu, 14 Jun 2007 11:25:08 -0400 > >> taharka <res00vl8@xxxxxxxxxx> wrote: > >> > >>> OpenSuse/SEL includes AppArmor, which is they're answer to SELINUX & > >>> supposedly easier to configure/administrate ;-) > >> Yea, AppArmor is really secure :-). At work someone found it > >> was refusing to let them run something (I forget which program, > >> some utterly common utility like uname or date or something). > >> They copied the executable to a different name file, and it > >> let them run the copy just fine. > > Well, is this much better than SELinux-issues preventing your Fedora > > systems to work properly? > > Design bugs are always going to be harder to fix than implementation > issues. Any issues reported are fixed pretty quickly. Did you report any? > > > I've never encountered a case where SELinux caught an actual security > > breach, but I've seen many cases were SELinux prevented systems from > > operating properly. > > There has dozens of such instances where SELinux has prevented or > mitigated the issue. No doubts, there probably have been such incidents. I can't comment on AppArmor (I am not using OpenSuSE), but I can comment on SELinux from my personal experience with it. And from that I would be very cautious to mention it as a "selling point", because I assume everybody using Fedora for a couple of months at some point has had his own experiences with it. It's helpful and harmful at the same time. Which side's tradeoffs overweight depends on the personal situation and a particular machine's purpose. Ralf
