Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: AppArmor Is Going Into The Linux 2.6.36 Kernel

  1. #1
    Join Date
    Jan 2007
    Posts
    14,600

    Default AppArmor Is Going Into The Linux 2.6.36 Kernel

    Phoronix: AppArmor Is Going Into The Linux 2.6.36 Kernel

    James Morris has outlined a preview of the security subsystem changes he is currently carrying in his security-testing-next branch of the Linux kernel that he plans to have Linus Torvalds pull into the next kernel development cycle for Linux 2.6.36. The big change in the kernel security world is that AppArmor is being planned for integration into the Linux 2.6.36 kernel...

    http://www.phoronix.com/vr.php?view=ODQ2Ng

  2. #2
    Join Date
    Oct 2009
    Posts
    353

    Default

    Does anyone know why some distros choose AppArmor over SELinux? Is it better?

  3. #3
    Join Date
    Oct 2009
    Posts
    353

    Default

    I found this:
    http://www.novell.com/linux/security...omparison.html
    looks like AppArmor to SELinux is what inotify is to dnotify (that is better and easier).

  4. #4
    Join Date
    Jan 2009
    Posts
    148

    Default

    Some of the major distributions that have backed AppArmor as part of their security model is Ubuntu, openSUSE, and Mandriva.
    Is?

    TenTenTen

  5. #5
    Join Date
    Jul 2008
    Location
    Berlin, Germany
    Posts
    821

    Default

    Asking if AppArmor is better than SELinux is like asking if Linux is better than OpenBSD. They solve different problems. Over at lwn.net there is a very nice discussion with an author of the TOMOYO project about advantages and disadvantages.

  6. #6
    Join Date
    Oct 2009
    Posts
    353

    Default

    Quote Originally Posted by chithanh View Post
    Asking if AppArmor is better than SELinux is like asking if Linux is better than OpenBSD. They solve different problems.
    That's a half truth, there are common problems they solve in different ways and as explained in the link above from Novell - AppArmor is certainly better in those cases cause it's simpler and easier.

  7. #7
    Join Date
    Mar 2008
    Location
    Eire
    Posts
    58

    Default

    grsecurity > *


  8. #8
    Join Date
    Jul 2009
    Posts
    416

    Default

    Quote Originally Posted by cl333r View Post
    Does anyone know why some distros choose AppArmor over SELinux? Is it better?
    A lot of people don't like SELinux because it's difficult to work with. I think a lot of people end up disabling it on Fedora.

  9. #9
    Join Date
    Aug 2009
    Posts
    2,264

    Default

    I hate profiling because it's practicaly useles.
    If apps would ship with their own profile file that complies with a freedesktop standard that doesn't exist then it would be of some use I guess.

    BTW you may disagree with me.

  10. #10
    Join Date
    Sep 2006
    Posts
    714

    Default

    Quote Originally Posted by pvtcupcakes View Post
    A lot of people don't like SELinux because it's difficult to work with. I think a lot of people end up disabling it on Fedora.
    They used to. Most of the time now it's unnecessary. This is due to the 'targetted' policy implemented by Fedora/Redhat by defualt. This policy is designed for mild server situations were your only worried about external threats over the network. It allows local user logins to do pretty much whatever they want within the traditional 'DAC' security framework. Targetted policy is worthless if your goal is to increase the protection from local user accounts.


    ================================

    SELinux is complicated in the extreme because implementing a full fledged MAC system is itself extremely complicated. I can set up a SELinux machine so that if your user does not have security clearance you will not just be denied access to 'top secret' files on the machine... it would be impossible for you to even detect their existence. Even if you knew their names and know were they would be at, you still could not prove they existed, unless you try a physical attack on the machine (break into the building and steal the harddrive).

    Other security mechanisms such as Toyomo, AppArmor, SMACK, and the like are trading capabilities for usability. There is nothing they can do that SELinux cannot do, but there is a lot of things that SELinux can do that they cannot.

    If your implementing high security system for government agency or hardcore banking system then your a idiot to use anything other then Selinux.... It was designed specifically for those purposes.

    If your goal is to prevent your user account being hacked because Adobe's flash plugin sucks then AppArmor is your friend.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •