[ubuntu-hardened] AppArmor for Ubuntu

[Crispin Cowan]

cwarner wrote:
> Besides the fact that the method of creating policy on these slides is
> totally incorrect and far from recommended practice for Selinux.
How quaint :) It is a summary of the method posted by Red Hat on their
web site documenting how to create a policy. So it is not "wrong", but
it might be out of date. Care to update it?

>  There
> are projects in the works and policy editors being created for Selinux.
> This approach really isn't that different at all. As it all boils down
> to policy.
>   
Except for the fundamental difference between path name based access
controls and label based access controls. The label based scheme in
SELinux makes it much more difficult to build an automated policy generator.

> So, besides that fact, why would someone who has already employed
> Selinux for X setup switch to apparmor?
Because SELinux has been available to the open source community in
general and various distro users like Ubuntu hardened for years, and got
nearly zero adoption among actual users. With users choosing "nothing at
all thanks" over SELinux, they seem to be asking for alternatives, and
AppArmor is a radical design departure that puts usability first.

>  Why should all the work that has
> been done with Selinux be stopped?
>   
I said nothing at all about stopping SELinux work. I am suggesting that
packages for Ubuntu be rolled out, and that Ubuntu users try them. I
strongly suspect that many of the users who have tried and rejected
SELinux as unusable will quite like AppArmor.

> I'm not knocking apparmor because I've not taken the time to look at all
> of its technical merits but from the surface and these slides, it's
> certainly behind Selinux.
>   
Uh huh. Try it :)

Crispin
-- 
Crispin Cowan, Ph.D.                      http://crispincowan.com/~crispin/
Director of Software Engineering, Novell  http://novell.com
	Olympic Games: The Bi-Annual Festival of Corruption