Access_Control_Comparison_Table
This page is an attempt to show a comparison table of the main different access control solutions for Linux.
This table should not show opinions but facts or give the links for benchmarking.
Please keep objectivity and not "we are the best" Please also keep to simple facts. This is a comparison, not a review. We don't care how more comprehensive one thing is over another. Just add a row with how many syscalls are covered then. If you want to write a review, go write one and link it.
| RSBAC | grsecurity | SELinux | AppArmor | Smack | |
|---|---|---|---|---|---|
| Full name | RuleSet Based Access Control | GetRewted Security | Security Enhanced Linux | AppArmor / SubDomain | Simplified Mandatory Access Control Kernel |
| Origins | German | American | Contributors | Immunix | |
| Developers | 5 active | 1 | Contributors | Suse, Ubuntu, Annvix | |
| Distributions inclusion as a standard feature | Hardened Gentoo, Adamantix, Mandriva, T2, Alt Linux | Hardened Gentoo, Hardened Linux From Scratch | Hardened Gentoo, Fedora Core, Red Hat Enterprise Linux, Debian | openSUSE, SLES, Pardus, Annvix, Ubuntu/Gutsy | |
| Distributions presence as patch or 3rd party support | Debian, Ubuntu, Fedora RPM available | Debian (source patch for kernel) | Debian, SuSE, Ubuntu | ||
| Company Support | MPrivacy | Various | NSA, RedHat, HP, IBM | Suse | |
| Current Stable | 2.6.x & 2.4.x | 2.6.14.6 & 2.4.33.4 | Mainline kernel 2.6, 2.4 support dropped | 2.6.x | Mainline kernel as of 2.6.25 |
| Development Process | Open, SVN View, Anonymous SVN, Git, Bugtracker, Live todo list, Live commits, IRC, Mailing-list | Open, anonymous CVS, IRC, mailing list, web forum | Open, in kernel, Git, sourceforge, mailing list. | Open, openSUSE wiki | |
| Optimizations | Hashed list lookups O(1), ordered generic lists, attributes inheritance | Hashed lookups O(1) | Access Vector Cache O(1) | Access granted once, rechecked when rights change | |
| PaX Integration | Yes | Yes | No | No | |
| Exec-Shield Integration | No | No | Yes | No | |
| Hook Type | RSBAC + REG | GrSecurity | LSM | LSM | |
| Framework Logic | GFAC | N/A | Flask | ||
| Label Storage | rsbac.dat, filesystem independent | N/A | xattrs/metadata, filesystem dependent | internal-only; filesystem independent | |
| Inode Labeling | yes - but moving might change access because of inheritance (check effective attributes when inherited) | no - rename changes access | yes | no - rename changes access | yes |
| Supported Models | (list) MAC, RC, ACL, FF, UM, PM, DAZ, JAIL | RBAC, ACL | TE, RBAC, MLS, MCS | ||
| Additional Features | Secure delete, Process hiding, Filesystem hiding for files you have no access for, Symlink redirection, in kernel user management, on-access virus scanning | Random IPID, Process hiding, Chroot restrictions, TPE, Symlink restrictions | User-space access vector cache | Sub-process confinement: can confine individual PHP pages, mod_perl scripts, and Tomcat servlets | |
| Policy Learning mode | Yes, built-in, only non-critical modules. | Yes, built-in, extensive | Yes, external, audit2allow, polgen | Yes, initial policy generation and incremental policy updates | |
| Portability | Complete. (never ported) | N/A | Complete. Ported to other kernels already. | Available for x86, x86-64, IA64, POWER, zSeries, and ARM | |
| Patents | unknown | unknown | unknown, Type Enforcement (Expired) SCC Statement of assurance | unknown | |
| Evaluations | ULD EAL4+ (CyberGuard) | N/A | CAPP EAL4+ (Suse Linux), RHEL 5 In progress for CAPP, RBAC, and LSPP at EAL4+ |
Benchmarks (take them with a hand full of salt):
Last modified: Wed, 23 Apr 2008 08:31:00 +1000 Hits: 25,655
Created by NickStallman.net, Luxury Homes Australia
Real estate agents should list their apartments, townhouses and units in Australia.