OFB Community Mailing Lists

[Josiah Ritchie]

On Wed, 2005-05-18 at 07:31 -0500, Ed Hurst wrote:
> I've read the blurbs, but naturally I don't get it. Either they aren't
> really describing it well, or I'm too dense. Can anyone explain what
> this does:
> 
>    http://www.novell.com/products/apparmor/
> 
> If I understand correctly, it's a policy enforcement mechanism that runs
> on a Linux network.

My understanding, and I'm not sure I'm right, is that this is something
like SELinux in that it limits the access of applications to the system
to only what they should do. I'm not yet clear on whether it focuses on
the network environment or the system itself. Sometimes this concept is
reffered to as an application firewall (I think, though I'm not yet sure
the two are the same). In other words, we've lost trust in users and
computers, but we still trust programs to be good. However, most
programmers can't claim to know exactly what their programs do and may
be surprised to find a directory wiped out or a security hole gives
access to the system as root. This would prevent this sort of thing.
That's SELinux. I'm guessing AppArmor is taking the more network based
approach and not letting the program access the network or the network
access the program outside of a set of parameters.

Anyone want to point out the errors in my undestanding of the concepts?
I know I'm still real shaky in this area.

JSR/