Linux security non-modules and AppArmor
Posted Jun 28, 2007 16:16 UTC (Thu) by nix
In reply to: Linux security non-modules and AppArmor
Parent article: Linux security non-modules and AppArmor
But people --- a lot of people, in real-world insecure environments --- are *turning SELinux off* and *running with no LSM at all* because it's simply too damn hard to understand a useful non-minimal SELinux configuration. (I have given up asking ordinary systems administrators to diagnose problems in SELinux configurations when SELinux gets in the way of something they're trying to do: you might as well ask them to fix kernel bugs on their own. They just turn it off, every time.)
Useful AppArmor configurations are very much smaller and easier to comprehend without having to do the sort of vast whole-system data flow analyses you're so fond of (and which nobody on the coalface has the time or inclination to do). Yes, maybe AppArmor *is* less secure than SELinux, but it's a hell of a lot more secure than *nothing*.
to post comments)