APParmor is fine but it really only handles file system restrictions not system call restrictions. If they added that then there would be some reasonable arguments about which approach was better. As it is I need functionality from SELinux to secure my system - its not that hard to configure for any professional but its not for the end user -- but the lack of support for SELINUX on SUSE from the people who need to provide it, the distributor, makes SUSE unsuitable for important linux application deployments.

Your millage may vary and people may disagree but having to implement a solution in practice for several critical applications -- AppArmor is fast and easy and incomplete. SELinux is not that much slower with some tools already out there and is much more complete.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/newsbriefs/284/1309#1309