[Novalug] Controlling unauthorized application usage in Linux

[David A. Cafaro]

True, SELinux and AppArmor are really a league way above WSR, but if  
someone (like the original question) is asking how Linux might  
protect specific apps from specific users besides just user/group  
permissions,  they are the options of choice.

So what they're more powerful, flexible, and secure than the windows  
solution, we're all used to that ;-).

Cheers,
David


On Mar 28, 2008, at 1:03 PM, Pete Nuwayser wrote:
>
> I wouldn't compare SELinux and AppArmor to Windows Software
> Restriction.  SELinux and AppArmor are watchdogs; WSR is a checkpoint.
>
> 1.  SELinux and AppArmor allow granular control over what a binary is
> allowed to do; WSR's policies establish which binaries are allowed to
> run (or not) based on what the file extension is, where the file is
> located and whether the file is properly signed.  WSR doesn't mediate
> what those binaries are allowed to do if they /do/ run.
>
> 2.  SELinux and AppArmor mediation happen at the kernel level, which
> is as high as you get.  I don't know where it happens in Windows.
>
> 3.  SELinux and AppArmor check activity in real-time, while WSR just
> checks the location and 3-digit extension of the file against the
> policy or certificate once and never gets involved again.
>
> 4.  SELinux and AppArmor both prevent against zero-day attacks by
> defining what the binaries are allowed to access, such that even if a
> binary is compromised, it still only gets read permission to the
> config files (for example).
>
> Pete
>
> -- 
> /pete nuwayser/
> $LASTNAME gmail com
> _______________________________________________
> Novalug mailing list
> Novalug at calypso.tux.org
> http://calypso.tux.org/cgi-bin/mailman/listinfo/novalug

David A. Cafaro <dac at cafaro.net>
Cafaro's Ramblings:  www.cafaro.net