AppArmor for Fedora
Tom Horsley
tom.horsley at att.net
Sun Aug 26 22:16:24 UTC 2007
On Sun, 26 Aug 2007 22:34:13 +0100
Alan Cox <alan at lxorguk.ukuu.org.uk> wrote:
> Fedora follows upstream. Upstream for now has rejected AppArmor for a
> variety of very sound technical reasons. in part to do with whether its
> actually secure, or even possibly to build a proper security model with
> it.
Yea, I remember at work someone genned a suse system and forgot
to disable AppArmor. I forget which program it was, but some totally
innocuous utility like "date" or "uname" or something wouldn't
run because AppArmor was configured to call it dangerous for
some reason.
The truly wonderful part was that if you made a copy of the
executable under a different name, it worked fine, it was only
the installed one that AppArmor was helpfully protecting you from.
I'm not sure what security model that corresponds to, the
word "lame" comes to mind however :-).
More information about the fedora-list
mailing list