[ubuntu-us-ut] SELinux Support in 8.04

[Nathan]

On Wed, 2008-03-19 at 12:11 -0600, Christer Edwards wrote:
> On Wed Mar 19, 2008 at 11:57:16AM -0600, BJ Cardon wrote:
> > Can you sell us SELinux for those of us unfamiliar with it?
> > 
> > BJ
> 
> SELinux is secure. Apparmour (default) is not ;)
> 
> http://en.wikipedia.org/wiki/SELinux
> http://www.nsa.gov/selinux/
> 
> basically SELinux babysits a targeted list of processes on your machine
> and makes sure they behave.  It can be thought of as pre-emptive
> security for vulnerabilities that aren't even discovered yet.

Christer, 

If you are going to give the difference give each what they deserve.
Apparmor is not the same a SELinux.  It has a similar goal and so people
tend to lump them together.  Many systems would benefit from running
both for maximum security.  

SELinux is designed to limit what a file or program can do based on its
level or rights.  Apparmor is designed to prevent a program from doing
something that it normally doesn't do.  SELinux has to have everything
defined.  The policies are written manually.  Apparmor creates a profile
based off of what the daemon is doing and then locks it down to only
doing those things.  For example, SElinux will prevent FTP from serving
files that aren't marked as public, But Apparmor could prevent FTP from
traversing to another directory.  

Novell has a good FAQ about AppArmor:
http://developer.novell.com/wiki/index.php/Apparmor_FAQ

That being said.  I think that SELinux provides better security that
AppArmor, but they both have good features.  So go help test SELinux.

Nathan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : https://lists.ubuntu.com/archives/ubuntu-us-ut/attachments/20080319/2ec66a62/attachment.pgp