After my previous two posts about SELinux and AppArmor, “Stupid advice and some of my own ideas” and Rusty AppArmor?, another post of the same topic.
I had another look around for information on AppArmor and of course also followed a link leading directly to Novell where I found a Novell’s AppArmor and SELinux comparison.
Well, it was clear that they would present a shiny AppArmor and that SELinux wouldn’t come out very good, but what I’ve read there wasn’t only surprising, in my oppinion it was even ridiculous.
The shortcomings Joshua Brindle showed are here shown as the big advantages of AppArmor over SELinux. To make it longer Novell doesn’t feel shy to repeat arguments with slightly different wording and even show facts which aren’t even true.
In this post I want to give my personal view on a few of the mentioned points.
Pathname based system does not require labelling or relabelling filesystem
Pathnames are easy to understand and audit
Attaches labels to all files, processes
Not all applications preserve labels
Okay, pathnames are easier to handle for the normal user, which is, as far as I understand, is the targeted audience of Novell’s distributions. But as mentioned in my previous post (and of course in Joshua’s Blog, which was the inspiration and one source of information for these posts) does this limit security to specified paths.
Already a simple hardlink to a file can tear holes into your security-system.
And what the heck is wrong with using filesystem labels? All modern filesystems available in Linux, like for example ext3, JFS and XFS, support them. So why not use them?
And yes, maybe not all programs support preserving these labels yet, but that work is in progress. More and more tools support SELinux out of the box or at least after applying a little patch. The most important tools, like the GNU coreutils and similar tools, already support it.
Whenever a technology that goes deep into the system is implemented tools have to be adjusted. SELinux is such a technology and work is being done. And everything works pretty fine so far. There are no problems and it just keeps getting better.
Automated tools in place
Hard to maintain
Yes, AppArmor can be easily configured in a few minutes with Yast. But this is because it offers a security which is far less complex than SELinux offers. And the tools for SELinux are on their way. As mentioned in my second post (Rusty AppArmor?) SELinux was completely implemented first and now the tools to make it easier for the user are being worked on. In my opinion this is the right way to do it. AppArmor might be easier to use, but it has limitations compared to SELinux.
Easier integration with Novell platforms
Low adoption rate
This point gave me real good laughs. Wow, AppArmor is easier to integrate with Novell platforms. Of course, it’s your own product!
And I have no idea how these guys do their research, but the point about a low adoption rate of SELinux is simply wrong!
Just have a look at how many distros use AppArmor and how many use SELinux:
AppArmor: 2 (Suse Enterprise and OpenSuse), I read it should be implementable with Ubuntu, Debian and even Fedora (although I wouldn’t know why anybody would want to replace SELinux with AppArmor in Fedora).
SELinux: At least 4 (EnGarde Secure Linux, Red Hat Enterprise, Fedora, EasyLFS), and it’s implementable into Debian, Ubuntu, Slackware and, as far as I remember, even Suse.
Of course I might have missed a few on both sides, but so far the numbers pretty much are in favor of SELinux.
Integrated GUI/Console toolset
Hard to manage rules
Lack of integrated tools
Now we start repeating ourselves, don’t we? Well, it’s nice that AppArmor is easy to use, but it lacks the complexity a proper security-implementation should offer. SELinux offers this complexity and this, so far, comes with a little more work for the user, but in my opinion it’s totally worth it. As mentioned before AppArmor doesn’t add very much to the security Linux offers out of the box, and that’s already the end of the line. With SELinux you have a lot more options, which of course comes with a more complex configuration. And did I mention that the tools to make configuring SELinux are on their way?
Proficiency with 1-2 days training
Usability is primary goal
Substantial training investment
I think it would have been nice if security would have been Novell’s primary goal here, but let’s not further follow this thought, Suse is made for the normal user, and you shouldn’t expect too much of him, right?
But to be honest, who would want to have his credit-card-data or medical information stored on a server that has been secured by clicking through the AppArmor-configuration for 10 minutes after two days of reading on how to start Yast and where to find the AppArmor-module?
That kind of data has to be stored on a server that has been properly secured. And what do you need for this? Right, training! And not just for a few days. In a few days you can’t build up the experience you need for this.
You wouldn’t hire somebody who just had a one week crashcourse on Windows-server as your server-admin too, right?
The points Novell brings up here (I limited my comments to their first table, this is followed by some example-policies) aren’t really correct.
As shown before security based on pathnames alone has some problems. Instead of using AppArmor it might be more secure using chroot-jails. And unlike AppArmor SELinux even works in that kind of environment, because the changed the pathnames do not affect security since files have been labeled and permissions are controlled using these labels.
After all I read about AppArmor and SELinux even Novell’s comparison of the two systems doesn’t help giving me a better opinion about AppArmor. The information shown there isn’t what I had expected, they’re repeating themselves to fill the page and the point about SELinux’ low adoption rate is a joke.
Just like Novell’s distros AppArmor is targeted at the normal user.
As I have probably mentioned in my previous post, plans to integrate AppArmor into my distro EasyLFS have been frozen, if not terminated. One reason is that I do not really believe in the security AppArmor offers, and also because EasyLFS is targeted at experienced users, which I expect to be capable of configuring SELinux.