Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
PostgreSQL 9.3 beta: Federated databases and more
LWN.net Weekly Edition for May 9, 2013
(Nearly) full tickless operation in 3.10
AppArmor and TOMOYO are _SO_ much better. You can create a usable AppArmor policy in a matter of minutes.
And it doesn't require @#)($@#)($*)(@*# relabeling, extended attributes, works on FAT volumes, etc.
In short, SELinux should be ripped out and replaced with something _sane_.
Walsh: Google Chrome Policy
Posted Oct 14, 2009 15:56 UTC (Wed) by jspaleta (subscriber, #50639)
Tresys has a list of SELinux mitigations, you can see it on the right hand side of this page:
Is there anything publicly archived that tracks AppArmor's...effectiveness?
-jef"easy and effective are not synonyms."spaleta
Posted Oct 14, 2009 19:32 UTC (Wed) by Cyberax (✭ supporter ✭, #52523)
Mainly because AppArmor has almost no active developers.
SELinux and AppArmor
Posted Oct 14, 2009 17:33 UTC (Wed) by rfunk (subscriber, #4054)
Posted Oct 14, 2009 19:34 UTC (Wed) by Cyberax (✭ supporter ✭, #52523)
One can say that SELinux dependency on labels which is fatally flawed, since FAT and removable media can have inconsistent labels.
Posted Oct 15, 2009 2:25 UTC (Thu) by rahulsundaram (subscriber, #21946)
FAT and removable media don't have "inconsistent labels". They are not labelled at all and SELinux policy can unlabelled filesystems via other methods.
Posted Oct 15, 2009 12:57 UTC (Thu) by Cyberax (✭ supporter ✭, #52523)
Of course, label-based approach of SELinux is more powerful. But what good do these features do if I need to spend days just to write a basic policy?
AppArmor is 'good enough' for most purposes (like, confining a daemon to read only certain directories). For example, this very FireFox is confined to read and write only several directories by AppArmor on my system.
And its policy is clear enough so even a newbie administrator can understand it.
Posted Oct 16, 2009 15:50 UTC (Fri) by rahulsundaram (subscriber, #21946)
Posted Oct 16, 2009 18:22 UTC (Fri) by dlang (✭ supporter ✭, #313)
there are many security people out there who consider SELinux far too complicated for normal use, and who see benefits in AppArmor.
Posted Oct 16, 2009 20:08 UTC (Fri) by nix (subscriber, #2304)
Oh, also because the SELinux people fought tooth and nail to keep it out
of the kernel.
Some prophecies are self-fulfilling.
Posted Oct 16, 2009 20:20 UTC (Fri) by dlang (✭ supporter ✭, #313)
but the tooth and nail fight to keep it out of the kernel would do a lot to discourage development.
Posted Oct 17, 2009 0:48 UTC (Sat) by rahulsundaram (subscriber, #21946)
Posted Oct 17, 2009 2:18 UTC (Sat) by dlang (✭ supporter ✭, #313)
Posted Oct 17, 2009 3:04 UTC (Sat) by rahulsundaram (subscriber, #21946)
Posted Oct 17, 2009 3:19 UTC (Sat) by dlang (✭ supporter ✭, #313)
however when that becomes 'it doesn't handle this case that SELinux does, so it must be worthless', that stops being valid technical criticism, and the objections have frequently gotten to that stage (and, no, my memory is not good enough to remember exactly who made which objections)
Posted Oct 17, 2009 3:44 UTC (Sat) by rahulsundaram (subscriber, #21946)
It is ok for a security solution to address a specific subset of the problems while leaving others as outside the scope but the documentation should explicitly say so. If it doesn't then it makes it harder to merge those patches. Smack did a good job of describing the scope of the problem it was trying to address.
Posted Oct 16, 2009 21:17 UTC (Fri) by Cyberax (✭ supporter ✭, #52523)
But it's _simple_. And it works.
I don't know what's inside the Chrome policy, but you can see the FireFox policy here:
Posted Oct 18, 2009 15:47 UTC (Sun) by kleptog (subscriber, #1183)
Disabling AppArmor solved the problem. SELinux hasn't got a monopoly on obscure error messages.
Posted Oct 15, 2009 18:52 UTC (Thu) by njs (guest, #40338)
I don't know enough to take an informed position in the SELinux debate, but... perhaps you don't either? Empirically, Ubuntu's Firefox AppArmor policy (new for Karmic) is still not up to snuff, and I'm pretty sure they've been working on it for more than a few minutes.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds