• 1

Re: To the contrary

(Anonymous)
This is the second time I hear something like this from Novell:

"unlike SELinux, AppArmor does not require the developer to support AppArmor"

Novell Users FAQ (http://en.opensuse.org/Users_FAQ) says:

"Applications don't have to be modified at all to be protected by AppArmor. To get the full power of SELinux, applications must be recompiled and linked against SELinux libraries."

I'm not sure what you mean by "to get the full power", but above statements seem to be a blatant lies. Could you please elaborate what modifications are necessary for the appliciation to be protected by SELinux ? Propaganda is a subtle art and exaggerating may be dangerous.

Re: To the contrary

(Anonymous)
It's pretty much a lie, which is why he hasn't responded. :(

OTOH, we don't have to worry about apparmor going far if they have to resort to fibbing to make it look advantageous.

Re: To the contrary

(Anonymous)
I'm just curious if any of the responders have actually used and implemented both products. I've worked with AppArmor, SELinux, and Argus Pitbull under Linux. They all offer significantly improved security. The difference is in how long it takes to secure something. If you have weeks to spend securing something with SELinux or Pitbull, great. I'd rather spend an hour with AppArmor and be done with it. I don't work for Novell but I've known the Immunix guys for a long time. Check out LSM (http://lsm.immunix.org) if you think they haven't been involved in everything for a long long time.

-Dan Elder
Linux Practice Manager
Novacoast, Inc.

Re: To the contrary

(Anonymous)
Excellent, but does your opinion have anything to do with my original post ? I didn't say that AppArmor or Immunix are bad or incompetent, just that Novell seems to spread deliberate misinformation about SELinux, that's all.

I can believe AppArmor is easier to use (I use SELinux and only read AppArmor manual) but I also suspect (perhaps I need to learn more) that it's also less flexible and possibly less secure. MAC shouldn't be considered a toy, for which pretty GUI (and no need to training) is the key factor. To be perfectly honest, I admit that SELinux documentation should be definitely improved.

Re: To the contrary

(Anonymous)
In a fully deployed scenario SELinux certainly does have the ability to provide greater security than AppArmor as it can address a wider range of threat models. Unfortunately, making MAC both secure and practical (i.e., deployable for most organizations) isn't the easiest of task and AppArmor does focus on usability instead of covering every possible threat vector. I didn't mean to discredit SELinux, just to point out that for the vast majority of users out there for whom SELinux is too complicated to deploy that AppArmor is avilable and very easy (in my mind anyway) to setup.
Cheers,
Dan

Re: To the contrary

(Anonymous)
Actually, to be fair to Crispin...I believe he's been traveling quite a bit over the last month...probably more so than he's used to. Know I've seen him at a few locations across the US this month and I've been traveling a bit...he might have missed this...don't think he'd avoid confrontation to be honest :-)

But please feel free to post the question to him directly or to the public forum set up for AppArmor (which I believe he may watch a bit more than this blog...no offense) and you'll probably get the answers you need.

If you think they're wrong, by all means, ask them to show their proof or stop saying it. But honestly, most of the folks I've known at Novell don't blatantly lie...it's really not in their nature...most are actually hard working individuals just like at other organization trying to make a difference, e.g. RedHat, Apple, etc.

  • 1
?

Log in