FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 06-17-2012, 07:37 PM
Claudius Hubig
 
Default AppArmor or SELinux?

Hello Ralf,

Ralf Mardorf <ralf.mardorf@alice-dsl.net> wrote:
> On Sun, 2012-06-17 at 18:45 +0200, Claudius Hubig wrote:
> > AppArmor doesn’t add a single thread to a running Linux system.
>
> So it's a voodoo-ghost and doesn't need resources?

It runs directly in the kernel, where any access control obviously
should take place. I still don’t understand your problem, though.

Best regards,

Claudius
--
I find you lack of faith in the forth dithturbing.
-- Darse ("Darth") Vader
http://chubig.net telnet nightfall.org 4242
 
Old 06-17-2012, 07:41 PM
Tom H
 
Default AppArmor or SELinux?

On Sun, Jun 17, 2012 at 12:52 PM, Ralf Mardorf
<ralf.mardorf@alice-dsl.net> wrote:
> On Sun, 2012-06-17 at 18:45 +0200, Claudius Hubig wrote:
>>
>> AppArmor doesn’t add a single thread to a running Linux system.
>
> So it's a voodoo-ghost and doesn't need resources?

If you think that it's using a thread, please show it!

(I don't care either way...)


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CAOdo=SxedV-m4mu9_RiOapO3J7AkSb_miqq_+nPg=gjCrRNsfA@mail.gmail .com
 
Old 06-18-2012, 12:37 AM
Ralf Mardorf
 
Default AppArmor or SELinux?

On Sun, 2012-06-17 at 15:30 -0400, Tom H wrote:
> > Yes, but it's part of the paranoia and comes withs tons of threads,
> > on Ubuntu Precise:
> >
> > spinymouse@precise:~$ ps -eLf|grep console-kit-daemon|wc -l
> > 66
>
> It's an old bug/feature:
>
> https://bugs.freedesktop.org/show_bug.cgi?id=17720
>
> Patches were proposed then pulled because they had undesirable side-effects.
>
> Take a look at the last post in the bug report above and then at:
>
> http://www.freedesktop.org/wiki/Software/ConsoleKit


Thank you,

my knowledge is outdated . I wasn't aware of systemd-loginctl.

- Ralf




--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/1339979827.2074.68.camel@precise
 
Old 06-18-2012, 12:43 AM
Ralf Mardorf
 
Default AppArmor or SELinux?

On Sun, 2012-06-17 at 15:41 -0400, Tom H wrote:
> On Sun, Jun 17, 2012 at 12:52 PM, Ralf Mardorf
> <ralf.mardorf@alice-dsl.net> wrote:
> > On Sun, 2012-06-17 at 18:45 +0200, Claudius Hubig wrote:
> >>
> >> AppArmor doesn’t add a single thread to a running Linux system.
> >
> > So it's a voodoo-ghost and doesn't need resources?
>
> If you think that it's using a thread, please show it!
>
> (I don't care either way...)

Ok, but it's included and has some impact. To be fair, I don't notice
any performance differences with and without it.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/1339980211.2074.71.camel@precise
 
Old 06-18-2012, 02:51 AM
~Stack~
 
Default AppArmor or SELinux?

Hello Claudius,

I don't have a ton of experience with SELinux on Debian. However, a
specific work project requires a deployment of Red Hat systems all with
SELinux and I have been very impressed with how easy it is to setup and
administer. I have been impressed for a while now, actually. We are
using it for specific services but I don't see why it would be any
different setting up pidgin or opera. I have only deployed SELinux to a
single Debian system and that was under Lenny. I don't recall it being
problematic or anything. We set it up and ( just like most of my Debian
systems ) let the server run its course without much effort outside of
basic updates/maintenance.

I played with AppArmor on Ubuntu a few months ago and I can see how it
can be an alternative to SELinux, but I think my experience at work has
given me a bias as I got frustrated with it and eventually gave up.

I think SELinux is good project and worth knowing and deploying. Just my
2 cents.

Good luck!

~Stack~
 
Old 06-18-2012, 09:49 AM
Claudius Hubig
 
Default AppArmor or SELinux?

Hello ~Stack~,

~Stack~ <i.am.stack@gmail.com> wrote:
> We are using it for specific services but I don't see why it would be any
> different setting up pidgin or opera. I have only deployed SELinux to a
> single Debian system and that was under Lenny. I don't recall it being
> problematic or anything. We set it up and ( just like most of my Debian
> systems ) let the server run its course without much effort outside of
> basic updates/maintenance.

Thank you very much for your informative reply! I am still a bit
wary, since SELinux profiles look more complicated than AppArmor
profiles, but given enough time, they’re probably as easy to
understand.

I shall look into SELinux some more, though, due to limited time, not
right now

Thanks again & best regards,

Claudius
--
Q: How many IBM 370's does it take to execute a job?
A: Four, three to hold it down, and one to rip its head off.
http://chubig.net telnet nightfall.org 4242
 
Old 06-18-2012, 01:32 PM
Tom H
 
Default AppArmor or SELinux?

On Sun, Jun 17, 2012 at 8:37 PM, Ralf Mardorf
<ralf.mardorf@alice-dsl.net> wrote:
> On Sun, 2012-06-17 at 15:30 -0400, Tom H wrote:
>>>
>>> Yes, but it's part of the paranoia and comes withs tons of threads,
>>> on Ubuntu Precise:
>>>
>>> spinymouse@precise:~$ ps -eLf|grep console-kit-daemon|wc -l
>>> 66
>>
>> It's an old bug/feature:
>>
>> https://bugs.freedesktop.org/show_bug.cgi?id=17720
>>
>> Patches were proposed then pulled because they had undesirable side-effects.
>>
>> Take a look at the last post in the bug report above and then at:
>>
>> http://www.freedesktop.org/wiki/Software/ConsoleKit
>
> Thank you,
>
> my knowledge is outdated . I wasn't aware of systemd-loginctl.

You're welcome.

So are you upgrading your Debian and Ubuntu sysvinit/upstart installs
to systemd to benefit from "systemd-loginctl"?

systemd's gobbling up other projects; and I say so without an
anti-systemd slant. ConsoleKit that's deprecated and replaced; udev's
merged in [1]. The latter change must make maintaining udev more
complicated in a non-systemd environment.

[1] http://lists.fedoraproject.org/pipermail/devel/2012-June/168227.html


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CAOdo=SwyhcWsYftYvP-MfLVGu__X2M_c2n1Vg6nqGP-U+=_XnA@mail.gmail.com
 
Old 06-18-2012, 01:34 PM
Tom H
 
Default AppArmor or SELinux?

On Sun, Jun 17, 2012 at 8:43 PM, Ralf Mardorf
<ralf.mardorf@alice-dsl.net> wrote:
> On Sun, 2012-06-17 at 15:41 -0400, Tom H wrote:
>> On Sun, Jun 17, 2012 at 12:52 PM, Ralf Mardorf
>> <ralf.mardorf@alice-dsl.net> wrote:
>>> On Sun, 2012-06-17 at 18:45 +0200, Claudius Hubig wrote:
>>>>
>>>> AppArmor doesn’t add a single thread to a running Linux system.
>>>
>>> So it's a voodoo-ghost and doesn't need resources?
>>
>> If you think that it's using a thread, please show it!
>>
>> (I don't care either way...)
>
> Ok, but it's included and has some impact. To be fair, I don't notice
> any performance differences with and without it.

You'd probably have to compile a kernel without apparmor support to
see a difference. Whether the difference'd be human-detectable's
probably up for debate.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CAOdo=SyYwaO+ECzy17PKC-djppg-4Pj=1V5qMxR82s7ip+h7gA@mail.gmail.com
 

Thread Tools




All times are GMT. The time now is 04:34 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org