Hello Camaleón, Camaleón <noelamac@gmail.com> wrote: > On Sun, 17 Jun 2012 13:14:03 +0200, Claudius Hubig wrote: > And I share the same feeling for SELinux, I mean, a tool that can be very > helpful when it is properly configured and you know well about its > possibilities but its setting up is not what we would consider a child > game. Administrating a computer is not a child game, and, yes, it took me some time to tweak my custom AppArmor profiles to do what I want. > > However, I just noticed that there don’t appear AppArmor profiles to be ^^^^^^^^ This should read ‘patches’. IOW, the kernel patches distributed with AppArmor currently don’t apply cleanly to Kernel 3.4 sources. > Debian used to include some support for SELinux but I dunno about the > status for AppArmor. There's more information here: > > http://wiki.apparmor.net/index.php/Distro_debian Unfortunately, that information is rather out of date, as you can see from the Kernel version numbers, for example. That said, AppArmor currently runs fine on Linux 3.2 - and I just found what appears to be kernel 3.4 patches[1]. Nevertheless, my concerns still stand, as the development model of AppArmor still appears rather chaotic, with some outdated wiki pages etc. > > My question is: Would it make sense to deploy SELinux on my system to > > achieve the tasks mentioned above? > > Mmm... I'd say no. Thanks. Please allow me to rephrase the question: Given the temporary unavailability of kernel patches for AppArmor for kernel 3.4, the fact that it appears not to be fully merged into the main kernel, the rather chaotic wiki page which lets one hunt for the required patches and the lack of official support by major distributions other than Ubuntu, would it make sense to switch from a running AppArmor system to a SELinux system? > I find it a valid concern but for a mere user point of view, I would > prefer having to deal with not that complex utilities to harden the > system applications, for example, something like the sandbox or virtual > machine concept, i.e., easy to deploy (some brosers already include a > sandbox from where they run the dangerous plugins), easy to understand (a > separate zone that cannot interefere with the host system) and easy to use > ("run & go", or "install, run & go") :-) Security can never be reached by a run & go concept, simply because individual requirements differ far too much to cater for all different needs with default configurations. And while sandboxing is a sensible approach _within_ the browser, it only handles plugins in an assumed-as-safe application, not the application itself. The kernel should do that, and that’s what SELinux, AppArmor etc. are for, in my opinion: separate processes, users and files as much as possible. Complete virtual machines for each of the applications (Opera, Iceweasel, Pidgin, Skype) would a) probably break my machine’s RAM requirements b) be rather unusable c) make it much more difficult to, for example, download a file with Iceweasel and then send it to someone using Pidgin. Best regards, Claudius [1] http://wiki.apparmor.net/index.php/Gittutorial -- A wife lasts only for the length of the marriage, but an ex-wife is there *for the rest of your life*. -- Jim Samuels http://chubig.net telnet nightfall.org 4242
Attachment:
signature.asc
Description: PGP signature