LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for April 4, 2013

LWN.net Weekly Edition for March 28, 2013

A kernel change breaks GlusterFS

PyCon: Evangelizing Python

Multipath TCP: an overview

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The AppArmor debate begins

The AppArmor debate begins

Posted May 1, 2006 16:04 UTC (Mon) by Method (guest, #26150)
In reply to: The AppArmor debate begins by nix
Parent article: The AppArmor debate begins

Congratulations, you identified the precise problem with this type of system. For comparison the SELinux Thunderbird policy *does not* include this capability, proof positive that iterative active policy development will yeild higher quality policies than 'status quo encapsulation'. If thunderbird functions properly without this permission then it should not be there.

See http://securityblog.org/brindle/2006/03/25/security-anti-...
for more commentary on that sort of policy development.

The point mentioned in your post about using learning mode while the app is not being attacked is talked about in the above article but I'll refute it here incase people don't want to read it. Once your system is active (eg., thunderbird is fetching mail from your server) it is no longer in a known good state, you have no idea if it is being attacked or otherwise compromised. The fact that blindly writing policies in this manner can actually create channels for the attackers to operate on after the policy is active is disturbing and IMHO a very compelling argument against this type of behavior.

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds