• 1

Re: Comments

I just wanted to clear up a few misconceptions with what you said:

"My blog was about how Novell did not work with the community and I believe has hurt Linux development."

This is a subjective point but considering the amount of time and resources Novell spends on the Linux ecosystem I don't know where you get this from.

"SELinux policy can be modified on the fly without re-starting a "contained" process; you only have to
re-start the process if you are changing what domain you are putting it into (vs. just changing some
allow rules), and AppArmor is no different in that respect. Further, SELinux has runtime booleans which
AppArmor lacks. Booleans allows an administrator to change the way policy an application is allowed to
run without having to write policy. So if you want to turn off the ability for apache to run cgi scripts,
you simply set a boolean rather than having to change a line of policy."

There's never a need to restart an application with AppArmor once you have a profile for it. Make as many changes to it as you want, you never restart the process. The learning mode of AppArmor makes this very simple as well as the tools provided to add capabilities after the fact.

"SELinux also supports dynamic context transitions, so we can create an Apache module that switches
domains for PHP scripts. We favor exec-based transitions because they are more "secure" (stronger
boundaries between domains, real control over the code executed in the new domain), but SELinux has the
flexibility to support it."

AppArmor can do the same thing at an even lower level with mod_changehat. You You don't have to exec a php page but it can still have a separate security domain. This lets any single file under Apache run potentially with a separate security policy, some greater than the apache process and some more restricted. Security transitions are fully supported in all applications. You don't have to compile an application to use AppArmor but it you do write it with change_hat support you can have a very robust security transitioning mechanism built in from the ground up.

"Our goal is to give administrators choices of how they want to run their system, without forcing them
to write policies."

Choice is a great thing, it's one of the things that makes Linux so strong. I myself would rather have a profiling tool write a policy for me in 5 minutes than have to worry about all the intricacies of label based security but that's my own choice.

"The fact that "AppArmor doesn't require the developer to support AppArmor" is an indictment of AppArmor
not providing real security. Ultimately, applications have to be involved in providing higher level
security guarantees, and they need some awareness of the underlying security model. SELinux provides
the infrastructure and APIs for such applications."

AppArmor provides an API that applications can use to support their security transitions. Novell has a modified Apache and SSH daemon which includes this functionality to offer even greater security. Of course, you don't have to modify your application to lock it down with AppArmor, but you can get more granular control of it if you do.

"Open Source means more than just dumping code over the fence with a suitable license; it has connotations
of community and upstream, which SELinux has had since 2000, vs. AppArmor's recent entry."

Yes, AppArmor is newly OSS but as some point every piece of OSS software was new. It's open now, fully supported, and has an active community forming around it. It's not being abandoned or anything like that, they opened it up to the community so that it could be used by everyone. You would probably ignore it as being commercial if they hadn't.

The last time I checked there wasn't exactly any standard for MAC under Linux that every distro relies on. Quite the contrary, every distro I've seen try to implement SELinux has been bogged down. Which is ok, SELinux isn't meant to be easy, but for those of us who don't have unlimited time to secure a system and want to maximize our security AppArmor is a great fit.

-Dan Elder

  • 1

Log in