LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

View Poll Results: Which one provides best security?
SELinux 5 83.33%
GRSecurity 0 0%
AppArmor 1 16.67%
Voters: 6. You may not vote on this poll

Reply
 
Search this Thread
Old 01-11-2012, 10:39 AM   #1
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 516

Rep: Reputation: 51
Which MAC to use


i am trying to get a feeling of which MAC package you feel is better. this is not a "which one do you use" poll.

for those who have had a chance to use each of these, which one do you feel provides the best protection?

SELinux
GRSecurity
AppArmor

Last edited by Linux_Kidd; 01-11-2012 at 10:41 AM.
 
Old 01-17-2012, 04:47 PM   #2
przemek.klosowski
LQ Newbie
 
Registered: Jun 2011
Posts: 3

Rep: Reputation: Disabled
SELinux in my opinion has the most development momentum. I really appreciate Dan Walsh's commitment to fixing problems and answering questions on the devel lists
 
Old 01-17-2012, 09:03 PM   #3
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 516

Original Poster
Rep: Reputation: 51
Quote:
Originally Posted by przemek.klosowski View Post
SELinux in my opinion has the most development momentum. I really appreciate Dan Walsh's commitment to fixing problems and answering questions on the devel lists
thnx for this input, exactly the stuff i am looking for.
i read a bunch about AppArmor, how easy it is, easy to understand, yada yada yada, but when you factor in its for a dying breed i want to shy away from it, etc.

GRsecurity also seems to have some followers. some places like phoenixnap.com use GRsecurity religiously, my guess is because GRsec has more pre-built selections than SElinux does, but i lean more towards protection ability and robust support vs. out-of-the-box pre-built settings.
 
Old 01-18-2012, 01:00 PM   #4
ryran
LQ Newbie
 
Registered: Dec 2011
Location: Abu Dhabi
Distribution: Fedora
Posts: 19

Rep: Reputation: Disabled
I have no familiarity with AppArmor and have never even heard of GRSecurity.

What is now known as SELinux is a MAC system that evolved from patches to the kernel created by the United States of America's NSA (National Security Agency) for their own use (and before that, whole MAC operating systems). I have no reason to convince anyone one way or another.. times change.. needs and software evolve.. new ideas emerge.... but SELinux is rock-solid and has a lot of developer backing (thank you very much, Red Hat).
 
Old 01-18-2012, 01:52 PM   #5
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 516

Original Poster
Rep: Reputation: 51
Quote:
Originally Posted by ryran View Post
I have no familiarity with AppArmor and have never even heard of GRSecurity.

What is now known as SELinux is a MAC system that evolved from patches to the kernel created by the United States of America's NSA (National Security Agency) for their own use (and before that, whole MAC operating systems). I have no reason to convince anyone one way or another.. times change.. needs and software evolve.. new ideas emerge.... but SELinux is rock-solid and has a lot of developer backing (thank you very much, Red Hat).
well, others are indeed on the heels of RH. GRsec is nifty and from what i can tell its gaining attention.
 
Old 01-18-2012, 03:16 PM   #6
ryran
LQ Newbie
 
Registered: Dec 2011
Location: Abu Dhabi
Distribution: Fedora
Posts: 19

Rep: Reputation: Disabled
Quote:
Originally Posted by Linux_Kidd View Post
well, others are indeed on the heels of RH. GRsec is nifty and from what i can tell its gaining attention.
First of all, SELinux is not just Red Hat. I think RHT had the will and the resources to make SELinux happen, but they didn't do it just for themselves.

Like I said, new ideas emerge, better ways to do things are thought of ... this is how upstart and then systemd came along. After doing some reading, of course I can agree that GRSec looks promising, but if someone wants a comprehensive MAC solution for linux, it seems like SELinux is still the best choice. Also, I'm surprised you didn't mention TOMOYO -- from what I understand, it's a lot more alive than AppArmor.

Also, I'm sure you've already googled about this, but the conclusion from this paper is .. well, something.
Quote:
9 Conclusions
After doing a thorough theoretical and practical comparison between SELinux and grsecurity, we
were able to make several broad conclusions about the potential advantages and disadvantages of
each system with respect to the other. We purposely compared the two in terms of their theory
and practicality so as to provide a deeper understanding of how one vies with the other. It is
common knowledge that theory and practice are two very different entities and sometimes a
system which appears to be more theoretically sound than another is sometimes less practical.

9.1 Conclusions Pertaining to Theory
From a theoretical standpoint, SELinux is a more powerful access control mechanism, since it
incorporates role-based access control (RBAC). Nevertheless, we believe the two theories allow
for sound security models. They both allow for easy control of access between processes and
objects, processes and other processes, and objects and other objects.

9.2 Conclusions Pertaining to Practice
The tools and capabilities that come with each set one security system apart from the other. The
Flask architecture in SELinux provides for a flexible security policy. This means that the
administrator can very easily manipulate and customize the policy by simply modifying a set of
policy files written in a policy language set forth by the developers of SELinux. The policy
language is not so easy to learn but allows for efficient methods of customization. Based upon
our experimental implementation of a security policy using SELinux, we conclude that this
policy language is powerful and robust and should be considered (by one choosing to use one
security system over the other) as the most dominating advantage it has. Grsecurity, on the other
hand, comes with the gradm tool, which is capable of programmatically optimizing and finetuning
ACLs in the operating system. In basing his choice on whether he likes one system over
the other, one should first decide whether he wants the flexibility but semi-difficulty that
SELinux offers or the somewhat inflexibility but ease that grsecurity offers.

In terms of performance of one system over the other, we conclude that they are generally equal
in quality. Although, we noted several small differences of performance in very specific areas,
we believe that these differences balance out and do not hold much water in helping one choose
his preference of one system over the other.

Last edited by ryran; 01-18-2012 at 03:25 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Snow Leopard on a Mac without a Mac motherboard LXer Syndicated Linux News 1 01-12-2010 01:28 PM
xen linux guest mac acquiring mac 00:00:00:00:00:00 linux_fever Linux - Virtualization and Cloud 0 12-04-2009 02:52 PM
Ethernet MAC Addresses database; MAC address-based processing cctualatin Linux - Newbie 1 04-14-2009 08:59 AM
Linux / UNIX OS for Motorola RAZR v3 -- Sync it with OpenBSD 4.2/Mac 10.5/Mac 10.3 Doctorzongo Linux - Laptop and Netbook 0 04-30-2008 01:27 AM
How can I read the Mac part of a Win/Mac CD? tredegar Linux - Software 4 02-02-2008 03:58 AM


All times are GMT -5. The time now is 07:21 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration