danwalsh


Dan Walsh's Blog

Got SELinux?


Share Next Entry
Linux fragmentation - a view from the Security community
danwalsh
Some History
------------
I have lived the Unix wars over the past 20 years. I worked on Project
Athena back at Digital Equipment (DEC) in the late 1980's and remember
all the effort that it took to make it work on multiple UNIX versions.

We had the best technology at the time. MIT and DEC had awesome
technology including instant messaging (Zephyr), security (Kerberos),
distributed management (Moira), secure file systems with Kerberized NFS
and AFS, shared name service via DNS and Hesiod, and a network windowing
system (X). You could walk up to any machine and log in and have the
same environment. We had single sign-on. We had universities working on
the product. It was a perfect system. But then we decided it need to run
on multiple different Unixes. We spent untold dollars making it work.
The problem was instead of improving the overall product, we spent all
of our time dealing with differences between the platforms. During this
time Microsoft was developing NT group-ware products and ended up
blowing us out of the water. The Unix wars had destroyed a great
product.

Linux consistency refocuses Unix developers
-------------------------------------------
After a few years of working on Microsoft platforms for managing
security infrastructure on Unix and Non-Unix platforms, I came to Linux.
Linux seemed to have corrected the problems of the UNIX wars. It was
community based, all vendors shared the same code and worked together to
build a common platform. Sure, there were multiple competing layered
products, but almost all could run on all the different distributions.
Third party vendors could fairly easily build to a single API and it
worked on everyone's Linux.

Three years ago, I was asked to work on the SELinux Team at Red Hat to
bring Mandatory Access Control to a mainstream operating system (OS).
MAC had been attempted before but had always failed or became a one-off
OS. OS vendors would ship the primary OS and then a "Trusted" version.
This "Trusted" version would quickly become out of date as the main
development efforts would always go into the primary OS and eventually
be ported to the "Trusted" version.

With SELinux we decided we could do both at the same time, using the
Open Source method, we could get multiple companies, and customers
working on it. We had some stumbles along the way, but through the use
of the Fedora Core collaborative development process we came up with a
single OS that uses MAC and handles everything from your laptop to a the
highest levels of security specified by government.

Today we have great technology. We have many companies and government
organizations collaboratively working on SELinux together, including Red
Hat, IBM, HP, NSA, DOD, Tresys, Trusted Computing Systems. We have a
significant open source community built around SELinux, colleges and
universities contributing and doing experiments with it. We have
multiple distributions shipping with SELinux including Fedora Core
(2,3,4 and soon 5), Red Hat Enterprise Linux 4, Gentoo, Debian, Ubuntu,
Suse and Slackware.

Security Deja Vu
----------------
Everything seems to be going great, but ... Novell, who last year
claimed to be the first Linux distribution to ship with SELinux
technology, suddenly announced that they are dropping support for it. To
replace it, they bought a product called AppArmor and are now asking
third party developers to use it instead of SELinux. Is this the
beginning of the Unix wars all over again?

Not only is AppArmor divergent from upstream/community, but it is also not
suitable as a real alternative to SELinux, because it lacks the flexibility
and scalability of SELinux to address the full range of security concerns,
and its limitations are not just in implementation but architectural.

Novell claims that AppArmor is easier to use for third parties. But now
users and developers have to choose one or the other mechanism for
providing MAC, and ignore the other platform's security mechanism. Or do
twice as much work, to support both. Think back to the Project Athena
example. Is this easier? Couldn't Novell have spent their money on
making SELinux easier to use? No, Novel chooses to split the user and
developer community. I am not sure what their goals are, but I feel this
hurts Linux and the open source movement. The community has now gotten
SELinux to the point where "easier" is coming, but built upon a solid
foundation.

My fear now is that the Linux OS community has given application
developers an excuse to support neither security infrastructure, because
supporting either of them would prevent their product from running in
the other environment. So, for a developer, supporting neither SELinux
or AppArmor is the cheapest alternative, and maximizes the potential
customer base.

Instead of leveraging collaborative open source development to make
Linux the most secure operating system in the world, the now fragmented
Linux security community will be doing battle over who has the prettier
GUI. And the ISV community will ignore us.

Conclusion
-----------
The best outcome would be to have Novell work with the SELinux/open source
community to bring the benefits of AppArmor to the architecture/infrastucture
that is SELinux. This collaboration would benefit the entire Linux community.

To the contrary

(Anonymous)

2006-02-10 02:03 am (UTC)

SUSE had determined to drop SELinux long before AppArmor came along, because it had proved to be unusable. Even RH users seem to think so, as RH reported at the 2005 SELinux summit that the #1 question was "how do I turn SELinux off?"

SELinux has been available to the open source community for many years, and is now a standard part of RH's install. Yet the vast majority of people who look at it reject it and choose nudity instead :) In the usual open source world, that rate of rejection usually says "nice try, how about something else?"

Contrary to the claims above, I think AppArmor is actually *more* flexible than SELinux. Because of its much greater ease of use, a mere mortal sys admin can adjust AppArmor policy on the fly, without even having to re-start the contained process. Changing SELinux policy, in practice, requires someone with substantial SELinux expertise. Unless you have someone with those skills on staff, you need to call a consultant just for a configuration change.

Your fears about application developers having to choose between SELinux and AppArmor are unfounded; unlike SELinux, AppArmor does not require the developer to support AppArmor. Anyone can make an effective profile for an application with the AppArmor tools.

The reason for the split is that this has nothing to do with GUIs. For that matter, I'll concede that SELinux actually has prettier GUIs, but AppArmor is still an order of magnitude easier to use. The reasons are deeply founded in the security model, and it would not be possible to move SELinux to this point without completely ripping it apart amd making be ... well, AppArmor. SELinux and AppArmor are already sharing the code that we agree upon: LSM http://lsm.immunix.org/ which was developed jointly by Immunix and SELinux, as well as numerous other open source contributors.

I am painfully aware of the UNIX fragmentation wars. Open source licensing is the solution, which is why AppArmor was recently released under the GPL http://en.opensuse.org/Apparmor Competing projects in the open source space allows users to make a choice. With the very low adoption rate of SELinux, I think users are crying out for another choice.

Crispin
---
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/
Director of Software Engineering, Novell http://novell.com
Olympic Games: The Bi-Annual Festival of Corruption

Re: To the contrary

(Anonymous)

2006-02-28 11:41 am (UTC)

This is the second time I hear something like this from Novell:

"unlike SELinux, AppArmor does not require the developer to support AppArmor"

Novell Users FAQ (http://en.opensuse.org/Users_FAQ) says:

"Applications don't have to be modified at all to be protected by AppArmor. To get the full power of SELinux, applications must be recompiled and linked against SELinux libraries."

I'm not sure what you mean by "to get the full power", but above statements seem to be a blatant lies. Could you please elaborate what modifications are necessary for the appliciation to be protected by SELinux ? Propaganda is a subtle art and exaggerating may be dangerous.

Re: To the contrary

(Anonymous)

2006-03-01 05:44 pm (UTC)

It's pretty much a lie, which is why he hasn't responded. :(

OTOH, we don't have to worry about apparmor going far if they have to resort to fibbing to make it look advantageous.

Re: To the contrary

(Anonymous)

2006-03-01 07:40 pm (UTC)

I'm just curious if any of the responders have actually used and implemented both products. I've worked with AppArmor, SELinux, and Argus Pitbull under Linux. They all offer significantly improved security. The difference is in how long it takes to secure something. If you have weeks to spend securing something with SELinux or Pitbull, great. I'd rather spend an hour with AppArmor and be done with it. I don't work for Novell but I've known the Immunix guys for a long time. Check out LSM (http://lsm.immunix.org) if you think they haven't been involved in everything for a long long time.

-Dan Elder
Linux Practice Manager
Novacoast, Inc.

Re: To the contrary

(Anonymous)

2006-03-02 10:11 am (UTC)

Excellent, but does your opinion have anything to do with my original post ? I didn't say that AppArmor or Immunix are bad or incompetent, just that Novell seems to spread deliberate misinformation about SELinux, that's all.

I can believe AppArmor is easier to use (I use SELinux and only read AppArmor manual) but I also suspect (perhaps I need to learn more) that it's also less flexible and possibly less secure. MAC shouldn't be considered a toy, for which pretty GUI (and no need to training) is the key factor. To be perfectly honest, I admit that SELinux documentation should be definitely improved.

Re: To the contrary

(Anonymous)

2006-03-26 05:50 am (UTC)

In a fully deployed scenario SELinux certainly does have the ability to provide greater security than AppArmor as it can address a wider range of threat models. Unfortunately, making MAC both secure and practical (i.e., deployable for most organizations) isn't the easiest of task and AppArmor does focus on usability instead of covering every possible threat vector. I didn't mean to discredit SELinux, just to point out that for the vast majority of users out there for whom SELinux is too complicated to deploy that AppArmor is avilable and very easy (in my mind anyway) to setup.
Cheers,
Dan

Re: To the contrary

(Anonymous)

2006-03-31 03:47 am (UTC)

Actually, to be fair to Crispin...I believe he's been traveling quite a bit over the last month...probably more so than he's used to. Know I've seen him at a few locations across the US this month and I've been traveling a bit...he might have missed this...don't think he'd avoid confrontation to be honest :-)

But please feel free to post the question to him directly or to the public forum set up for AppArmor (which I believe he may watch a bit more than this blog...no offense) and you'll probably get the answers you need.

If you think they're wrong, by all means, ask them to show their proof or stop saying it. But honestly, most of the folks I've known at Novell don't blatantly lie...it's really not in their nature...most are actually hard working individuals just like at other organization trying to make a difference, e.g. RedHat, Apple, etc.

Re: To the contrary

srlamb

2006-03-01 05:15 am (UTC)

SELinux has been available to the open source community for many years, and is now a standard part of RH's install. Yet the vast majority of people who look at it reject it and choose nudity instead :) In the usual open source world, that rate of rejection usually says "nice try, how about something else?"

Have you considered the possibility that these users have no need for either SELinux or AppArmor? I'm one of the people who turns SELinux off. It's not because it's flawed. It's because I got an EACCES one day, did not understand why from "ls" output, and then much later saw in /var/log/secure something about SELinux denying the call. It was easier to turn it off than to understand an entire layer of security that I didn't need on a minimum-security installation. The standard Unix model was sufficient for what I was doing, and I already understood it. AppArmor would have suffered the same fate.

This is probably the common case. These people are not saying "I extensively evaluated SELinux, was dissatisfied, and thus wanted to turn it off". They're saying "I want to use the simple system I already understand". If people don't have complex needs, you won't get them to use a complex security system. That doesn't mean the complex system is wrong. There may be a subset of people who need it to be just how it is, and they'll be pissed if you try to get them to use anything else.

Re: To the contrary

ttrtt

2007-09-02 01:55 pm (UTC)

delete

You are viewing danwalsh