Am 31.03.23 um 22:13 schrieb Lew Wolfgang:
On 3/31/23 12:28, Joe Salmeri wrote:
MicroOS comes with SELinux in enforcing mode and without AppArmor.
Do you think that TW will transitioin to SELinux and stop using AppArmor ?
I read a study years ago comparing SELinux and AppArmor. It basically said that while SELinux is technically superior, it's very difficult to configure. AppArmor on the other hand was much easier to get right. The net effect was that AppArmor gave superior performance in most cases due to the problems getting SELinux configured correctly.
AppArmor might become stackable: https://lwn.net/Articles/912775/ I switched to Fedora two years ago. I still use SELinux in permissive mode. Configuring SELinux is a full-time job. This message to the fedora-devel mailing list by Sam Varshavchik sums up the problems in Fedora: https://marc.info/?l=fedora-devel-list&m=163076934919588&w=2 The book "SELinux System Administration" by Sven Vermeulen is quite good. But I think that your time is better spent on securing and sandboxing software with systemd. See the manual pages systemd.exec(5) and systemd.resource-control(5) for details. The setroubleshootd, which helps you to adjust your systems, crashed from Fedora 34 to 36. It took Red Hat more than a year to fix the problem, which shows how much effort Red Hat puts into making SELinux usable.