On Mon, Aug 24 2009, Greg Donald wrote:
>> Also, http://en.wikipedia.org/wiki/SELinux has a decent writeup, >> apart from their failure to note the epic fail of apparmor because >> they use path based security (but that is the subject of another >> thread). > > Minus the "epic fail" part it looks like it's there, or did you just > add it? No, I meant to say they do not note the epic fail of apparmour. AppArmour is not strict security, though, man, it is easy to use. SELinux gives you finer granularity of control, it is not as easy to bypass. With apparmor, your security stance is not based on the objects you arte trying to protect the confidentiality and integrity of, but on a label that has no meaning to the kernel, and is only loosely associated with the underlying object. Any of a number of mechanisms that munge or copy the label (like, you know, hard links) can then totally bypass your security model. AppArmour is easier to use, since it addresses a far smaller group of security problems. AppArmor does not guarantee data confidentiality, in contrast to SELinux. (Guess what I want y'all who store credit card info to use). AppArmor’s sub-process restrictions allow you to run, for example, PHP scripts via mod_php in a context different from the context of Apache itself, although both run within the same process. The design of AppArmor has enormous disadvantages: there is nothing to stop malevolent code injected by an attacker into the PHP context from running in the Apache context later. After all, they use the same memory sector. Thus, this scenario will permit escalation of privileges – that’s a bug not a feature. The SELinux architecture is also suitable for security designs beyond MAC. And the MLS and MCS implementations provide ample evidence that the design works. The decision of SELinux or AppArmor is the choice between a comprehensive security architecture on the one hand, and local ad hoc improvements on the other. manoj -- Neither spread the germs of gossip nor encourage others to do so. Manoj Srivastava <[email protected]> <http://www.debian.org/~srivasta/> 1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en -~----------~----~----~----~------~----~------~--~---
