|
|
Subscribe / Log in / New account

Ubuntu next?

Ubuntu next?

Posted Feb 14, 2025 9:52 UTC (Fri) by lobachevsky (subscriber, #121871)
Parent article: OpenSUSE Tumbleweed switches to SELinux

That leaves Ubuntu as the last one standing using Apparmor? Maybe all the big distros that use MAC can finally get behind a single thing.

to post comments

Ubuntu next?

Posted Feb 14, 2025 17:05 UTC (Fri) by cschaufler (subscriber, #126555) [Link] (7 responses)

As the maintainer of a MAC enforcing LSM I am disappointed whenever a distribution goes into the SELinux camp. There are many cases where the extreme fine grained controls of SELinux are not a good match for the problem at hand. The other MAC implementations exist because of this. I understand that it would be convenient if there was only one MAC implementation, but then it would be convenient if there was one disk driver, one memory manager, one CPU architecture, one graphics implementation and so on.

Ubuntu next?

Posted Feb 15, 2025 11:22 UTC (Sat) by jengelh (guest, #33263) [Link] (2 responses)

>There are many cases where the extreme fine grained controls of SELinux are not a good match for the problem at hand

If it's fine-grained, surely SELinux can represent AppArmor rules, and it's just a matter of someone writing a translator, is it not?

Ubuntu next?

Posted Feb 15, 2025 17:25 UTC (Sat) by cschaufler (subscriber, #126555) [Link]

You would have to create an SELinux policy that covers not only the problem at hand, but all system resources. You would also have to add pathname based controls to SELinux. So no, you can't implement AppArmor controls with SELinux policy.

Ubuntu next?

Posted Feb 16, 2025 8:44 UTC (Sun) by jrjohansen (subscriber, #75010) [Link]

There is overlap, but each has elements that do not translate well to the other. So it will very much depend on what is being confined and what type of policy you are trying to achieve.

SELinux is better for containers

Posted Feb 15, 2025 19:07 UTC (Sat) by DemiMarie (subscriber, #164188) [Link] (3 responses)

SELinux is a much better choice for containers because of MCS, which provides protection in the event a resource from one container gets leaked into another somehow.

SELinux is better for containers

Posted Feb 16, 2025 8:40 UTC (Sun) by jrjohansen (subscriber, #75010) [Link] (1 responses)

With AppArmor you put each container into a different instance of a profile. It is closer to the udica approach.

SELinux is better for containers

Posted Feb 17, 2025 20:03 UTC (Mon) by DemiMarie (subscriber, #164188) [Link]

The problem is that containers generally have complete control over what the filesystem namespace looks like within the container.
SELinux doesn’t care about paths. It cares about labels, and those aren’t under container control.

SELinux is better for containers

Posted Feb 16, 2025 22:40 UTC (Sun) by cschaufler (subscriber, #126555) [Link]

MCS (multiple compartment security) is a minor component of SELinux, and you can't get it by itself. You have to accept all of the SELinux policy overhead to get MCS. Smack, on the other hand, supports compartments trivially, with much less other policy baggage. If MCS is really the only reason for you to use SELinux you may find it isn't your best alternative.

Ubuntu next?

Posted Feb 14, 2025 17:36 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]

Yes. Let's converge on the new standard: disabled SELinux.

Ubuntu next?

Posted Feb 16, 2025 9:49 UTC (Sun) by jond (subscriber, #37669) [Link]

And Debian.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds