suse@rio.vg wrote on 18.08.2006 14:59:40:
Henning Hucke wrote:
SuSE Linux more and more drifts towards "another Windows". In the meantime I know a lot of people - amongst them are numerous administrators which I personally rate as good or very good ones - who already droped SuSE in favor of Debian or comparable distributions.
Mind that.
I personally will install the coming (already released?) SuSE 10.2 on
my
machines and if it will not attract me the installation after this one
will be debian.
But still: Maybe I'm unfair to SuSE/Novell. If it should be the case that I already have the *alternatives* selinux _or_ AppArmor I would have to take the above critics. What I want to have is the choice! Give other users a tool at hand with which they might secure their machines in obscurity as long as you give _me_ the tools at hand to really secure the machines under my administration.
Let me get this straight: You're trashing SuSE because AppArmor isn't the be-all / end-all of perfect security perfection, so you're going to use a distribution that doesn't even have AppArmor at all?
AppArmor is a tool. It's meant to help a server deal with possibly insecure software without the extra hassles of chroot. As far as I can tell, it works very well in that task.
However, as you say, it's not going to stop people who already have shell access from doing naughty things. It never claimed to. Ease of use is not some windows concept. AppArmor is nice and easy to use for the task it was meant to do, and that's a good thing. The more complicated something is, the better chance it gets screwed up. It also frees up my time to take care of other tasks. Are you some kind of masochist that you'd rather make your life harder?
If you need user-level security, go with SELinux. The right tool for the right job.
Seems a pretty good approach : the right tool for the right job ! Personnaly I've choosen AA by exactly the same reasons above : gives me time to take care of other tasks. Have fun ! Miguel Albuquerque Network Administrator DISCLAIMER - This message is intended for the use of the named person only. The information contained in this E-mail is confidential and any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited. This message does not represent a formal commitment by Codalis SA. Codalis SA is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt.