You are not logged in.

#1 2016-10-24 13:29:52

Registered: 2015-05-28
Posts: 27

Practical and effective MAC solution - Grsecurity's RBAC or AppArmor?

I have done quite a lot of reading with regards to a Mandatory Access Control implementation for Arch. Seemingly the industry-standard and theoretically more powerful, SELinux appears to be a (unfortunately slow) work-in-progress on Arch, so I have looked into two other popular (popular tends to correlate with better documentation, support, and maintenance, which is crucial for security tools in general) forms of MAC--AppArmor and Grsecurity's built-in RBAC. The former appears to be practically easy to setup and use, although it does require compiling the grsecurity kernel, while the latter doesn't require compiling the kernel but from what I've heard, it requires constant maintenance due to Arch's rolling-release nature, presumably to deal with breakages after upgrades. Unfortunately, AppArmor is the weakest MAC implementation of the three, although to what extent is arguable (I feel AppArmor's  identification of file system objects by their paths rather than by inodes which is the way SELinux does means it is more easily exploitable and prevents it from fine-grained control.

How accurate am I in this assessment of MAC on Arch?

Also, MAC implementations are undoubtedly more important on servers than on desktop systems, but surely MAC on desktops are useful in containing the damage done in the event of an exploit, right?

I'm hoping there can be a fruitful discussion on MAC on Arch and perhaps people can share their experiences with it.

Last edited by mindstormer (2016-10-24 13:32:38)


Board footer

Powered by FluxBB