SELinux vs. AppArmor vs. Standard vs. What?

Thomas Cameron thomas.cameron at camerontech.com
Sun Nov 2 10:54:39 MST 2008


Alan Dayley wrote:
> Thanks for all the responses to my remote desktop login question.  I'm
> pretty sure we will deploy FreeNX for that function.
> 
> This question has to do with the same server.  A tech savvy manager
> says we should use "NSA Linux" on the remote desktop host server.
> What he means is use the SELinux security features.
> 
> Now, I don't have lots of experience with setup and maintainence of
> SELinux.  I hAve read that it is painful and requires more
> administration than just "set and forget."
> 
> A similar technology is the AppArmor profiles for applications.  Said
> to be easier to use than SELinux but provides much the same benefits.
> 
> Then a third camp seems to think that both of these are overkill and a
> headache for the benefits gained.  They feel that, configured
> correctly, standard user security on a Linux box is secure enough for
> most business applications.
> 
> Where do any of you stand on this argument?  Is SELinux really a pain
> to setup and use?  Is AppArmor interesting but not worth it?
> 
> Given the function of the server as I previously described in that
> other thread (http://lists.plug.phoenix.az.us/lurker/thread/20081030.230820.05346d48.en.html#20081030.230820.05346d48),
> What security extensions would you deploy and why?

Full disclaimer:  I work for Red Hat, so I'm prolly biased.

I prefer SELinux.  It's got a long, proven track record, it is highly
granular, very configurable, and very secure.  Although it was certainly
not easy to configure when we first released it with Red Hat Enterprise
Linux 4, it's come a looooong way since then.  It's very easy to get
SELinux configured with tools like sealert, audit2why, audit2allow, and
semanage.

I just delivered an intro SELinux presentation at the Colorado Software 
Summit two weeks ago.  The presentation, titled "SELinux for Mere 
Mortals" is available at:

http://people.redhat.com/tcameron

Have a look at it and see if it makes sense.

TC

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
Url : http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20081102/10e36205/attachment.pgp 


More information about the PLUG-discuss mailing list