Re: AppArmor FAQ

[James Morris]

On Tue, 17 Apr 2007, David Wagner wrote:

> Maybe you'd like to confine the PHP interpreter to limit what it can do.
> That might be a good application for something like AppArmor.  You don't
> need comprehensive information flow control for that kind of use, and
> it would likely just get in the way.

SELinux can do this, it's policy-flexible.  You can even simulate a 
pathame-based policy language with a consequential loss of control:

http://seedit.sourceforge.net/

> might well use AppArmor.  They solve different problems and have different
> tradeoffs.  There is room for more than one security tool in the world.

That is not the point of this discussion, although we can at least be 
thankful that Linus didn't request that the networking layer be pluggable 
to the extent that the security layer is, otherwise we'd have a menagerie 
of "better" TCP stacks, TOE frameworks, STREAMS modules and whatever other 
fantastic ideas that people might be inclined to drag out of the kitchen 
sink.


- James
-- 
James Morris
<jmorris@xxxxxxxxx>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/