On Sun, Aug 26, 2007 at 15:43:02 -0500, Les Mikesell <lesmikesell@xxxxxxxxx> wrote: > Tony Nelson wrote: > >At 3:02 PM -0500 8/26/07, Javier Perez wrote: > > > >>Is anybody working to port AppArmor to Fedora? > >>It does similar work like SELINUX but it is supposed to be user frendlier. > >>Where do I ask the powers that be to include it? > > ... > > > >No. Will never ever happen. Fedora has SELinux, much more powerful, much > >more secure. > > ...if managed by one of the dozen or so experts that understand it. You don't have to understand much of SELinux to make use of it. The targeted policy works pretty well. The GUI interface for setting booleans isn't hard to use. If you install third party binaries that don't protect memory regions the way it is done in Fedora by default or if you run a web server you may need to use the chcon command to label some files to allow for elevated access. You can also use audit2allow to work around denials that shouldn't happen, but those should really get reported as bugs. Also coming in F8 is a way to have restricted accounts with restrictions enforced by SELinux policy. This makes it much safer to give out guest accounts on machines.
