[ubuntu-hardened] AppArmor for Ubuntu

cwarner cwarner at kernelcode.com
Thu Mar 2 06:59:02 GMT 2006

> How quaint :) It is a summary of the method posted by Red Hat on their
> web site documenting how to create a policy. So it is not "wrong", but
> it might be out of date. Care to update it?

I would if I had much of a spare moment. Infact if I had more time i'd
try to write a decent overview on writing policy. Can you provide a link
to the documentation you're speaking of?

> Except for the fundamental difference between path name based access
> controls and label based access controls. The label based scheme in
> SELinux makes it much more difficult to build an automated policy generator.

There is a response to this in the form of questions posed By Thomas

> Because SELinux has been available to the open source community in
> general and various distro users like Ubuntu hardened for years, and got
> nearly zero adoption among actual users. With users choosing "nothing at
> all thanks" over SELinux, they seem to be asking for alternatives, and
> AppArmor is a radical design departure that puts usability first.

I agree, adoption amongst users has been abysmal. As far as choosing
nothing at all, there is very little in terms of choice to begin with
when you start speaking of comparison to Selinux. Initially I was under
the impression that AppArmor could be compared but the main gotcha seems
to be the path name based access controls. Obviously, again, I don't
know much about AppArmor.

> > I'm not knocking apparmor because I've not taken the time to look at all
> > of its technical merits but from the surface and these slides, it's
> > certainly behind Selinux.
> >   
> Uh huh. Try it :)

Will do and thanks for taking time out.

Christopher Warner

More information about the ubuntu-hardened mailing list