

Ask HN: Which Mandatory Access System do you prefer? - drKarl

Which MAC do you prefer, SELinux, AppArmor or Tomoyo? Perhaps another option? Which are the advantages and disadvantages of each one?
======
Hoff
What's your goal with choosing MAC?

MAC is one of those environments like OOP or Lisp; an approach that twists
your head around on a completely different axis than you might have been
previously accustomed to.

Programming techniques you'd expect to work from previous experience in DAC-
land can become a serious hassle; transferring files inward and upward is
easy, but outward or downward or across is blocked. Copies. Mail. Pipes.
Whatever. And if you're writing a server or daemon that deals with multiple
levels or multiple categories, then your code has a huge target painted on it;
you're writing OS-related security-sensitive code.

Multilevel was (somewhat?) more popular back in the early 1990s; there was
various and even some elegant work back then, but those products turned out to
be more expensive to sell, buy, manage, and to program, and with specific
programming requirements. Folks looked at all that, and then tended to buy DAC
and used multiple single-level boxes, and quite possibly as guests within a
VM. Choosing these system-high configurations had the obvious effects on the
MAC market, too.

But to answer your "prefer?" question, none of them, really. Not without a
very specific requirement for all the MAC hassles. Then, and as a distant
second to running system-high, I'd probably pick SELinux.

------
JoachimSchipper
Sorry for fueling the flames, but: they're all mostly useless. That is, non-
broken software doesn't need them, and it's very hard to write a profile that
doesn't allow hacked broken software to take over the machine anyway.
Especially with Linux' large number of local exploits. There are almost always
better ways to spend your sysadmin time.

Also, no grsecurity?

~~~
jemfinch
> non-broken software doesn't need them

In my experience, there's no such thing as non-broken software.

~~~
JoachimSchipper
qmail. Postfix. vsftpd. dovecot. OpenSSH (almost). Etcetera.

~~~
jemfinch
Bugs have been found in all of these packages. How much are you willing to
gamble that there are _no more bugs_ in them?

~~~
nailer
It's another layer of protection, agreed. But the general consensus amongst
people who use these systems is to turn them off. They'e not user friendly
(see my post below), pretty much always badly documented, and most people
don't have the time required to understand them.

------
nailer
They're all quite rubbish. SELinux logs violations to syslog with 'avc'. You
have to actually learn that 'access vector cache' is a component of SELinux.
Why not just write 'selinux' instead rather than making me learn it's shite
jargon?

