AppArmour open sourced. Possible inclusion in Fedora?
alan
alan at clueserver.org
Tue Jan 17 21:25:30 UTC 2006
On Wed, 18 Jan 2006, John Summerfied wrote:
> Dave Jones wrote:
> > On Tue, Jan 17, 2006 at 12:14:58PM -0500, Adam Gibson wrote:
> > > http://arstechnica.com/news.ars/post/20060113-5975.html
> > >
> > > From all the reading I have done it seems that configuration would be
> > > much easier for most system admins. A utility can learn what access is
> > > needed by monitoring the app so that you don't have to know all the
> > > details of what the app touches to get it working for new apps.
> >
> > For one thing it needs kernel patches that aren't upstream, which makes
> > it unlikely. Given it duplicates a subset of SELinux functionality,
> > it seems somewhat pointless to divide our efforts on two solutions
> > to the same problem instead of improving the one that upstream has
> > already chosen.
>
> If Red Hatters are monitoring the opposition, they will already know
> about AppArmour.
Furthermore, it does a number of things differently than SELinux. It does
not just "duplicate a subset of SELinux functionality". It does not have
the problem of requiring a tagged filesystem like SELinux does. It allows
you to contain processes in a "chrootless chroot". It specifies what a
process can touch on the filesystem and how on a per application basis.
I am not certain if the two can be merged or not. I have not tested the
latest kernel patches against an SELinux enabled kernel. I am planning on
doing it for my own use. The current Rawhide kernel is giving me fits
though. (The nvidia driver no longer builds.)
--
"George W. Bush -- Bringing back the Sixties one Nixon at a time."
More information about the fedora-list
mailing list