Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
View Poll Results: Which one provides best security?
SELinux in my opinion has the most development momentum. I really appreciate Dan Walsh's commitment to fixing problems and answering questions on the devel lists
SELinux in my opinion has the most development momentum. I really appreciate Dan Walsh's commitment to fixing problems and answering questions on the devel lists
thnx for this input, exactly the stuff i am looking for.
i read a bunch about AppArmor, how easy it is, easy to understand, yada yada yada, but when you factor in its for a dying breed i want to shy away from it, etc.
GRsecurity also seems to have some followers. some places like phoenixnap.com use GRsecurity religiously, my guess is because GRsec has more pre-built selections than SElinux does, but i lean more towards protection ability and robust support vs. out-of-the-box pre-built settings.
I have no familiarity with AppArmor and have never even heard of GRSecurity.
What is now known as SELinux is a MAC system that evolved from patches to the kernel created by the United States of America's NSA (National Security Agency) for their own use (and before that, whole MAC operating systems). I have no reason to convince anyone one way or another.. times change.. needs and software evolve.. new ideas emerge.... but SELinux is rock-solid and has a lot of developer backing (thank you very much, Red Hat).
I have no familiarity with AppArmor and have never even heard of GRSecurity.
What is now known as SELinux is a MAC system that evolved from patches to the kernel created by the United States of America's NSA (National Security Agency) for their own use (and before that, whole MAC operating systems). I have no reason to convince anyone one way or another.. times change.. needs and software evolve.. new ideas emerge.... but SELinux is rock-solid and has a lot of developer backing (thank you very much, Red Hat).
well, others are indeed on the heels of RH. GRsec is nifty and from what i can tell its gaining attention.
well, others are indeed on the heels of RH. GRsec is nifty and from what i can tell its gaining attention.
First of all, SELinux is not just Red Hat. I think RHT had the will and the resources to make SELinux happen, but they didn't do it just for themselves.
Like I said, new ideas emerge, better ways to do things are thought of ... this is how upstart and then systemd came along. After doing some reading, of course I can agree that GRSec looks promising, but if someone wants a comprehensive MAC solution for linux, it seems like SELinux is still the best choice. Also, I'm surprised you didn't mention TOMOYO -- from what I understand, it's a lot more alive than AppArmor.
Also, I'm sure you've already googled about this, but the conclusion from this paper is .. well, something.
Quote:
9 Conclusions
After doing a thorough theoretical and practical comparison between SELinux and grsecurity, we
were able to make several broad conclusions about the potential advantages and disadvantages of
each system with respect to the other. We purposely compared the two in terms of their theory
and practicality so as to provide a deeper understanding of how one vies with the other. It is
common knowledge that theory and practice are two very different entities and sometimes a
system which appears to be more theoretically sound than another is sometimes less practical.
9.1 Conclusions Pertaining to Theory
From a theoretical standpoint, SELinux is a more powerful access control mechanism, since it
incorporates role-based access control (RBAC). Nevertheless, we believe the two theories allow
for sound security models. They both allow for easy control of access between processes and
objects, processes and other processes, and objects and other objects.
9.2 Conclusions Pertaining to Practice
The tools and capabilities that come with each set one security system apart from the other. The
Flask architecture in SELinux provides for a flexible security policy. This means that the
administrator can very easily manipulate and customize the policy by simply modifying a set of
policy files written in a policy language set forth by the developers of SELinux. The policy
language is not so easy to learn but allows for efficient methods of customization. Based upon
our experimental implementation of a security policy using SELinux, we conclude that this
policy language is powerful and robust and should be considered (by one choosing to use one
security system over the other) as the most dominating advantage it has. Grsecurity, on the other
hand, comes with the gradm tool, which is capable of programmatically optimizing and finetuning
ACLs in the operating system. In basing his choice on whether he likes one system over
the other, one should first decide whether he wants the flexibility but semi-difficulty that
SELinux offers or the somewhat inflexibility but ease that grsecurity offers.
In terms of performance of one system over the other, we conclude that they are generally equal
in quality. Although, we noted several small differences of performance in very specific areas,
we believe that these differences balance out and do not hold much water in helping one choose
his preference of one system over the other.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.