SELinux vs. AppArmor vs. Standard vs. What?
Craig White
craigwhite at azapple.com
Fri Oct 31 16:37:18 MST 2008
On Fri, 2008-10-31 at 16:19 -0700, Alan Dayley wrote:
> Thanks for all the responses to my remote desktop login question. I'm
> pretty sure we will deploy FreeNX for that function.
>
> This question has to do with the same server. A tech savvy manager
> says we should use "NSA Linux" on the remote desktop host server.
> What he means is use the SELinux security features.
>
> Now, I don't have lots of experience with setup and maintainence of
> SELinux. I hAve read that it is painful and requires more
> administration than just "set and forget."
>
> A similar technology is the AppArmor profiles for applications. Said
> to be easier to use than SELinux but provides much the same benefits.
>
> Then a third camp seems to think that both of these are overkill and a
> headache for the benefits gained. They feel that, configured
> correctly, standard user security on a Linux box is secure enough for
> most business applications.
>
> Where do any of you stand on this argument? Is SELinux really a pain
> to setup and use? Is AppArmor interesting but not worth it?
>
> Given the function of the server as I previously described in that
> other thread (http://lists.plug.phoenix.az.us/lurker/thread/20081030.230820.05346d48.en.html#20081030.230820.05346d48),
> What security extensions would you deploy and why?
----
sort of like GNOME vs. KDE or vi vs. emacs isn't this?
SELinux is what Red Hat is committed to and is kernel layer.
AppArmor is what SuSE is committed to and my understanding is that it
isn't quite as intrusive.
I can't speak of apparmor but I can speak of SELinux as it's been around
since like Fedora 2 and RHEL 4. It takes some learning - much like
iptables, but the tools have gotten really good.
Most rpm applications have adjusted their setup to set 'policy' for the
newly created files but stuff that is compiled from source...well,
you're gonna have to work that out.
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
for selinux questions...
All in all, both are just additional layers of security designed to
limit possible activities of a system that has given unreasonable
access.
Craig
More information about the PLUG-discuss
mailing list