On Thu, Feb 6, 2014 at 9:34 PM, S. Dale Morrey <[email protected]>wrote:
> So is App Armor really an alternative to SELinux? Yes. It works slightly differently, but it does essentially the same thing: keep your applications from doing things they shouldn't. > If so, kudos to the devs > it stays the heck out my way well enough that I've never even bothered to > look it up to see what it does. > > This is due to some differences between SELinux and AppArmor. With AppArmor, you give it profiles for specific applications. If an application doesn't have a profile, AppArmor doesn't control it. I believe in SELinux this is *sort of* like targeted mode. > Are there any other alternatives? > I believe the accepted LSMs are SELinux, AppArmor, TOMOYO, and Smack. I'm only familiar with AppArmor and slightly familiar with SELinux. I played with TOMOYO, but only briefly over a weekend. > > What are the strengths and weaknesses of each? For me, the biggest strength of AppArmor is the creation of policies. It's fairly easy to read configuration files in /etc/apparmor.d. I can whip one up for my programs in just a few minutes. One commonly listed strength for SELinux is that it has finer-grained control. I've never done anything complicated with AppArmor so I haven't run into an issue. Here is a basic comparison of the two: http://www.cyberciti.biz/tips/selinux-vs-apparmor-vs-grsecurity.html. Spoiler alert: they are basically the same, one is easier to configure and the other gives you more knobs to turn. > Other than being "what my > distro shipped with and or familiarity" What would be the advantages or > disadvantages of each? > > The distro thing is actually a big deal for LSMs in my opinion. RedHat, Ubuntu, and SUSE have spent a lot of time developing policies for common applications. If you don't use the standard LSM for that distro you may have to do a lot of that work yourself. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
