Re: [AppArmor 00/44] AppArmor security module overview

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Adrian Bunk <bunk@xxxxxxxxx> writes:

> On Tue, Jun 26, 2007 at 07:47:00PM -0700, Andrew Morton wrote:
>> On Tue, 26 Jun 2007 19:24:03 -0700 John Johansen <jjohansen@xxxxxxx> wrote:
>> 
>> > > 
>> > > so...  where do we stand with this?  Fundamental, irreconcilable
>> > > differences over the use of pathname-based security?
>> > > 
>> > There certainly seems to be some differences of opinion over the use
>> > of pathname-based-security.
>> 
>> I was refreshed to have not been cc'ed on a lkml thread for once.  I guess
>> it couldn't last.
>> 
>> Do you agree with the "irreconcilable" part?  I think I do.
>> 
>> I suspect that we're at the stage of having to decide between
>> 
>> a) set aside the technical issues and grudgingly merge this stuff as a
>>    service to Suse and to their users (both of which entities are very
>>    important to us) and leave it all as an object lesson in
>>    how-not-to-develop-kernel-features.
>> 
>>    Minimisation of the impact on the rest of the kernel is of course
>>    very important here.
>> 
>> versus
>> 
>> b) leave it out and require that Suse wear the permanent cost and
>>    quality impact of maintaining it out-of-tree.  It will still be an
>>    object lesson in how-not-to-develop-kernel-features.
>>...
>
> versus
>
> c) if [1] AppArmor is considered to be something that wouldn't 
>    be merged if it wasn't already widely deployed by Suse: leave it out, 
>    work on an ideal solution [2], and let Suse wear the one-time cost
>    of migrating their users to the ideal solution
>
> One important point is that if AppArmor gets merged there will be much 
> more distribution support for it, and many people on !Suse will start 
> using it.
>
> I'm not claiming to understand the technical details, but from both 
> slightly reading over the previous discussions and the "What are the 
> advantages of AppArmor over SELinux?" section in the AppArmor FAQ [3] my 
> impression is that a main advantage of AppArmor are more user friendly 
> userspace tools. Therefore, if [1] AppArmor is considered technically 
> inferior to SELinux, it might still become more popular than SELinux 
> simply because it's easier to use - and although it's technically 
> inferior.


A couple of random thoughts to mix up this discussion.


[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]
  Powered by Linux