[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Mandatory Access Control

SELinux is more elaborate and more complicated than Apparmor; tomoyo relatively new. I would personally regard none of those MAC systems as ultimate remedy to hard security problems. In 2011 I had a RedHat/SELinux system in its default configuration and it was compromised within minutes by simply viewing the page of my bank with a web browser (read the whole at: http://www.elstel.org/Censorship.html.en). Note that a single faulty system call in the Linux kernel may be used to obtain root rights leaving all additional security gains that MAC systems should deliver behind. Please note also that a system can not be secured without securing your X-server (formerly one could even paste text into any other window like a root console without being in need of root rights). Finally the security profiles of MAC systems are very complicated so that they would hardly deliver the security as possible in theory. If you wanna ask me for my security solution it is qemu based and puts the most vulnerable system components like browsers and email programs into a virtual machine namely qemu which is maintained by the Open Source commnunity. 

Regards,
Elmar

On 29.11.2015 18:29, c4p0 wrote:

I read the fucking manuals but don't have clear what is the better
option of "Mandatory Access Control" for debian jessie.
(AppArmor, SElinux, tomoyo, etc ..)

someone can give me your opinion about it?
thanks in advance
Reply to: