There has been a steady uptick of people stating that they will migrate (or already have) to Debian – seeking refuge from what they see as greedy corporate influence. I understand the sentiment fully. However, there’s a problem here that I want to talk about: security.

The ugly truth is that security is hard. It’s tedious. Unpleasant. And requires a lot of work to get right.

Debian does not do enough here to protect users.

Long ago, Red Hat embraced the usage of SELinux. And they took it beyond just enabling the feature in their kernel. They put in the arduous work of crafting default SELinux policies for their distribution.

However, its default security framework leaves much to be desired. Debian’s decision to enable AppArmor by default starting with version 10 signifies a positive step towards improved security, yet it falls short due to the half-baked implementation across the system.

The fundamental difference between AppArmor and SELinux lies in their approach to Mandatory Access Control (MAC). AppArmor operates on a path-based model, while SELinux employs a significantly more complex type enforcement system. This distinction becomes particularly evident in container environments.

The practical implications of these differences are significant. In a SELinux environment, a compromised container faces substantial hurdles in accessing or affecting the host system or other containers, thanks to the dual barriers of type enforcement and MCS labels.

TLDR: According to the author, Debian’s use of AppArmour is not as effective as RedHat’s use of SELinux when it comes to security.

  • SquiffSquiff@lemmy.world
    link
    fedilink
    arrow-up
    15
    ·
    2 months ago

    Ok, aside from Android, I’ve yet to see any serious usage of SELinux in the real world and I’ve been working on cloud tech for years. Acknowledged issues such as complexity aside, it’s really just that much less relevant in a modern, single purpose environment such as Docker/kubernetes/cloud functions/etc

    • kbal@fedia.io
      link
      fedilink
      arrow-up
      12
      ·
      2 months ago

      I’ve yet to see any serious usage of SELinux in the real world

      I too have successfully avoided it, but we must acknowledge that not everyone has been so fortunate.