Adrian Bunk wrote: > On Tue, Jun 26, 2007 at 07:47:00PM -0700, Andrew Morton wrote: > >> Do you agree with the "irreconcilable" part? I think I do. I am hoping for a reconciliation where the people who don't like AppArmor live with it by not using it. AppArmor is not intended to replace SELinux, it is intended to address a different set of goals. >> I suspect that we're at the stage of having to decide between >> >> a) set aside the technical issues and grudgingly merge this stuff as a >> service to Suse and to their users (both of which entities are very >> important to us) and leave it all as an object lesson in >> how-not-to-develop-kernel-features. >> >> Minimisation of the impact on the rest of the kernel is of course >> very important here. >> >> versus >> >> b) leave it out and require that Suse wear the permanent cost and >> quality impact of maintaining it out-of-tree. It will still be an >> object lesson in how-not-to-develop-kernel-features. >> ... > versus > > c) if [1] AppArmor is considered to be something that wouldn't > be merged if it wasn't already widely deployed by Suse: leave it out, > work on an ideal solution [2], and let Suse wear the one-time cost > of migrating their users to the ideal solution > We argue that the proposed patch is a viable solution for providing AppArmor functionality. We would be happy for specific suggestions on how to make it better. > I'm not claiming to understand the technical details, but from both > slightly reading over the previous discussions and the "What are the > advantages of AppArmor over SELinux?" section in the AppArmor FAQ [3] my > impression is that a main advantage of AppArmor are more user friendly > userspace tools. Therefore, if [1] AppArmor is considered technically > inferior to SELinux, it might still become more popular than SELinux > simply because it's easier to use - and although it's technically > inferior. AppArmor's advantages come from the model, not the tools. AppArmor is not inferior to SELinux, it is different than SELinux. Neither can replace the other without horrid kludges. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering http://novell.com AppArmor Chat: irc.oftc.net/#apparmor - To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
