LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Linux fragmenting at last?

Linux fragmenting at last?

Posted Mar 1, 2006 1:15 UTC (Wed) by erich (subscriber, #7127)
Parent article: Linux fragmenting at last?

It's way too early to talk about fragmentation yet.
Noone has proven that these things can't just coexist. That one Distribution could support both SELinux and AppArmor, for example.
or that AIGLX can't run on top of Xgl.
These are just different approaches to solve outstanding issues (higher security, better graphics, ...)

The real issues I see here, is that these projects are often developed behind closed doors. There were many people complaining about the way Novell has handled the Xgl development, for example.

I've just these days blogged about AppArmor and SELinux:
http://blog.drinsama.de/erich/en/linux/selinux/2006022802...
And while this reads very harsh against SELinux, I'm still trying to bring good SELinux support to Debian.

But here, too, development is done largely behind closed doors at e.g. Tresys, which is just very unhealthy.
And despite it's maturity, SELinux is (likely due to all the new stuff added, like semanage) currently in a really bad shape for users.
Of course the people at Tresys and RedHat will flame me again for saying so. But Novell could hardly have picked a better time for attacking SELinux with AppArmor, and I for example know of noone running current modular SELinux successfully except on Fedora/RHEL (the redhat people) or Gentoo (the tresys people). All the other distributions have largely lost their SELinux support (well, the core stuff like init usually is SELinux-enabled, but there is absolutely no documentation available, and thus very few people even trying to get it up and running. And even fewer are successful at it.)
Let's hope Novell doesn't manage to exploit this current weakness of SELinux with AppArmor, which is said to have serious technical limitations (aka: "it's mostly useless")

(Log in to post comments)

Linux fragmenting at last?

Posted Mar 1, 2006 11:23 UTC (Wed) by nix (subscriber, #2304) [Link]

I don't understand. What's `mostly useless' about AppArmor? The largest problem that I can see is the absence of per-user profiles (fixes planned but tricky). It certainly seems useful to *me*.

Linux fragmenting at last (blog post)

Posted Mar 1, 2006 17:58 UTC (Wed) by linuxbox (subscriber, #6928) [Link]

Some interesting points in the blog post. Have you also worked with Grsecurity or RSBAC?

Linux fragmenting at last (blog post)

Posted Mar 2, 2006 13:14 UTC (Thu) by erich (subscriber, #7127) [Link]

I've used grsecurity, but it's ACLs were almost as bad to setup.
And they are pretty hard to define properly.
E.g. it makes a difference between calling
"somescript.pl"
and
"perl somescript.pl"

Which totally sucks, but applies to all languages with runtime environments, including Perl, Python, Java, Mono.

"Transitions" in SELinux are a really nice thing, most other ACL systems are lacking. and while I personally have little use for MCS and MLS (Multiple class security, multiple level security), they make perfect sense for corporate environments with multiple "trustedness" user levels.

Linux fragmenting at last (blog post)

Posted Mar 3, 2006 4:53 UTC (Fri) by ab (subscriber, #788) [Link]

Still, what about RSBAC? It is far richer model than Grsecurity and comparable (even richer) with SELinux, yet easier to setup.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds