Henning Hucke wrote:
SuSE Linux more and more drifts towards "another Windows". In the meantime I know a lot of people - amongst them are numerous administrators which I personally rate as good or very good ones - who already droped SuSE in favor of Debian or comparable distributions.
Mind that.
I personally will install the coming (already released?) SuSE 10.2 on my machines and if it will not attract me the installation after this one will be debian.
But still: Maybe I'm unfair to SuSE/Novell. If it should be the case that I already have the *alternatives* selinux _or_ AppArmor I would have to take the above critics. What I want to have is the choice! Give other users a tool at hand with which they might secure their machines in obscurity as long as you give _me_ the tools at hand to really secure the machines under my administration.
Let me get this straight: You're trashing SuSE because AppArmor isn't the be-all / end-all of perfect security perfection, so you're going to use a distribution that doesn't even have AppArmor at all? AppArmor is a tool. It's meant to help a server deal with possibly insecure software without the extra hassles of chroot. As far as I can tell, it works very well in that task. However, as you say, it's not going to stop people who already have shell access from doing naughty things. It never claimed to. Ease of use is not some windows concept. AppArmor is nice and easy to use for the task it was meant to do, and that's a good thing. The more complicated something is, the better chance it gets screwed up. It also frees up my time to take care of other tasks. Are you some kind of masochist that you'd rather make your life harder? If you need user-level security, go with SELinux. The right tool for the right job. Many administrators are taking a hard look at Debian and CentOS for one reason: Package management. SuSE completely and utterly screwed the pooch with the whole zen/rug garbage. AppArmor, however, has been a major plus in SuSE's favor, imho.