On Mon, 2012-07-16 at 15:35 -0400, Boruch Baum wrote: > > From: Rick <[email protected]> [email protected]> > > wrote: > > > >> Yesterday Nick Daly started a discussion about PHP alternatives. > >> PHP is crap, and has a very bad security reputation. Should we > >> use programs that are written in PHP for the FreedomBox? > >> > > Sounds like a job for selinux. > Rob is spot on regarding TOMOYO. I've easily deployed version 2.3 of > TOMOYO on a Linux box and was (figuratively speaking) ecstatic over > its ease of use compared to SElinux. TOMOYO also doesn't mess with > with your filesystem (as SElinux does). Two caveats: 1] AKARI > --should-- be similar; 2] I understand that the tomoyo developers were > considering some major structural feature and syntax changes since > version 2.3, and they're currently at version 2.5. > > In my particular usage case, Tomoyo revealed alot of nonsense that > some Firefox add-ons were doing, and allowed me to easily restrict the > wayward activities. And the add-ons continued to function fine anyway. > > Even though tomoyo is ridiculously simpler to use than SElinux, Should > Freedombox decide to integrate TOMOYO or AKARI into the build, I would > still strongly (very very) suggest FreedomBox prepare default profiles > for the default FreedomBox apps. (SUSE and Canonical did so for > Apparmor, but when I evaluated Apparmor a few years ago, their > defaults were uselessly liberal - no offense intended to you liberals > on the list). I had suggested this a few years ago on the tomoyo > discussion list and directly with the tomoyo developers, but at the > time, the effort went nowhere.
Hi Boruch, I have been working with SELinux for quite a few years now, and I find it complete and tested on the ground in a manner that trumps all other players from my POV. However I am interested in understanding why you say that "Even though Tomoyo is ridiculously simpler to use than SElinux". In what ways is Tomoyo simpler ? I admit I do not know much about tomoyo, but because it is based on file paths like apprmor I find it is probably inherently less powerful than SElinux on top of the fact that is certainly a lot less tested, which is not too good in security related stuff. Simo. -- Simo Sorce Samba Team GPL Compliance Officer <[email protected]> Principal Software Engineer at Red Hat, Inc. <[email protected]> _______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
