On 4/10/21 12:51 AM, Lew Wolfgang wrote:
On 4/9/21 2:48 PM, Michael Ströder wrote:
On 4/9/21 11:33 PM, Matěj Cepl wrote:
Dne 09. 04. 21 v 23:30 Michael Ströder napsal(a):
Could you please elaborate what the big advantage of SELinux would be?
Improved security and more granular rights for openSUSE (as Fedora/RHEL have it).
And an insane CPU and I/O load when updating the SELinux profiles... At least that's my experience with CentOS.
But sorry, I don't buy this broad statement regarding better security.
I'm certainly no expert in these matters, but I have customized some AppArmor profiles in the past.
Years ago I looked at comparisons between AppArmor and SELinux and I found one reference that claimed that overall, AppArmor gave better security because it's easier to maintain and customize. They said that SELinux gives better potential security, but only if people know how to do it, and not many have that knowledge and inclination.
This is exactly the point.
With Christian Boltz's instructions it was very easy for me as a AppArmor rookie to confine all Æ-DIR services within ~3 days. And this without using tools like aa-genprof but generating AppArmor profiles with ansible based on hand-made Jinja2 templates. Plus another 1.5 days for creating much stricter AppArmor base abstractions. Before I did not expect this to be possible within in short time-frame.
To me SELinux looks way harder to begin with.
Ciao, Michael.