SELinux is more elaborate and more complicated than Apparmor; tomoyo
relatively new. I would personally regard none of those MAC systems as
ultimate remedy to hard security problems. In 2011 I had a
RedHat/SELinux system in its default configuration and it was
compromised within minutes by simply viewing the page of my bank with a
web browser (read the whole at:
http://www.elstel.org/Censorship.html.en). Note that a single faulty
system call in the Linux kernel may be used to obtain root rights
leaving all additional security gains that MAC systems should deliver
behind. Please note also that a system can not be secured without
securing your X-server (formerly one could even paste text into any
other window like a root console without being in need of root rights).
Finally the security profiles of MAC systems are very complicated so
that they would hardly deliver the security as possible in theory. If
you wanna ask me for my security solution it is qemu based and puts the
most vulnerable system components like browsers and email programs into
a virtual machine namely qemu which is maintained by the Open Source
commnunity.
Regards,
Elmar
On 29.11.2015 18:29, c4p0 wrote:
I read the fucking manuals but don't have clear what is the better
option of "Mandatory Access Control" for debian jessie.
(AppArmor, SElinux, tomoyo, etc ..)
someone can give me your opinion about it?
thanks in advance
