Nuxified

FOSS technologies explained

  • Useful Articles
  • Blogs
  • Images
  • Tips
  • Archives

July 2, 2007

Novell’s comparison of AppArmor and SELinux

After my previous two posts about SELinux and AppArmor, “Stupid advice and some of my own ideas” and Rusty AppArmor?, another post of the same topic.
I had another look around for information on AppArmor and of course also followed a link leading directly to Novell where I found a Novell’s AppArmor and SELinux comparison.
Well, it was clear that they would present a shiny AppArmor and that SELinux wouldn’t come out very good, but what I’ve read there wasn’t only surprising, in my oppinion it was even ridiculous.
The shortcomings Joshua Brindle showed are here shown as the big advantages of AppArmor over SELinux. To make it longer Novell doesn’t feel shy to repeat arguments with slightly different wording and even show facts which aren’t even true.

In this post I want to give my personal view on a few of the mentioned points.

AppArmor wrote:

Pathname based system does not require labelling or relabelling filesystem
Pathnames are easy to understand and audit

SELinux wrote:

Attaches labels to all files, processes
Not all applications preserve labels

Okay, pathnames are easier to handle for the normal user, which is, as far as I understand, is the targeted audience of Novell’s distributions. But as mentioned in my previous post (and of course in Joshua’s Blog, which was the inspiration and one source of information for these posts) does this limit security to specified paths.
Already a simple hardlink to a file can tear holes into your security-system.
And what the heck is wrong with using filesystem labels? All modern filesystems available in Linux, like for example ext3, JFS and XFS, support them. So why not use them?
And yes, maybe not all programs support preserving these labels yet, but that work is in progress. More and more tools support SELinux out of the box or at least after applying a little patch. The most important tools, like the GNU coreutils and similar tools, already support it.
Whenever a technology that goes deep into the system is implemented tools have to be adjusted. SELinux is such a technology and work is being done. And everything works pretty fine so far. There are no problems and it just keeps getting better.

AppArmor wrote:

Automated tools in place

SELinux wrote:

Hard to maintain

Yes, AppArmor can be easily configured in a few minutes with Yast. But this is because it offers a security which is far less complex than SELinux offers. And the tools for SELinux are on their way. As mentioned in my second post (Rusty AppArmor?) SELinux was completely implemented first and now the tools to make it easier for the user are being worked on. In my opinion this is the right way to do it. AppArmor might be easier to use, but it has limitations compared to SELinux.

AppArmor wrote:

Easier integration with Novell platforms

SELinux wrote:

Low adoption rate

This point gave me real good laughs. Wow, AppArmor is easier to integrate with Novell platforms. Of course, it’s your own product!
And I have no idea how these guys do their research, but the point about a low adoption rate of SELinux is simply wrong!
Just have a look at how many distros use AppArmor and how many use SELinux:
AppArmor: 2 (Suse Enterprise and OpenSuse), I read it should be implementable with Ubuntu, Debian and even Fedora (although I wouldn’t know why anybody would want to replace SELinux with AppArmor in Fedora).
SELinux: At least 4 (EnGarde Secure Linux, Red Hat Enterprise, Fedora, EasyLFS), and it’s implementable into Debian, Ubuntu, Slackware and, as far as I remember, even Suse.

Of course I might have missed a few on both sides, but so far the numbers pretty much are in favor of SELinux.

AppArmor wrote:

Integrated GUI/Console toolset

SELinux wrote:

Hard to manage rules
Lack of integrated tools

Now we start repeating ourselves, don’t we? Well, it’s nice that AppArmor is easy to use, but it lacks the complexity a proper security-implementation should offer. SELinux offers this complexity and this, so far, comes with a little more work for the user, but in my opinion it’s totally worth it. As mentioned before AppArmor doesn’t add very much to the security Linux offers out of the box, and that’s already the end of the line. With SELinux you have a lot more options, which of course comes with a more complex configuration. And did I mention that the tools to make configuring SELinux are on their way?

AppArmor wrote:

Proficiency with 1-2 days training
Usability is primary goal

SELinux wrote:

Substantial training investment

I think it would have been nice if security would have been Novell’s primary goal here, but let’s not further follow this thought, Suse is made for the normal user, and you shouldn’t expect too much of him, right?
But to be honest, who would want to have his credit-card-data or medical information stored on a server that has been secured by clicking through the AppArmor-configuration for 10 minutes after two days of reading on how to start Yast and where to find the AppArmor-module?
That kind of data has to be stored on a server that has been properly secured. And what do you need for this? Right, training! And not just for a few days. In a few days you can’t build up the experience you need for this.
You wouldn’t hire somebody who just had a one week crashcourse on Windows-server as your server-admin too, right?

The points Novell brings up here (I limited my comments to their first table, this is followed by some example-policies) aren’t really correct.
As shown before security based on pathnames alone has some problems. Instead of using AppArmor it might be more secure using chroot-jails. And unlike AppArmor SELinux even works in that kind of environment, because the changed the pathnames do not affect security since files have been labeled and permissions are controlled using these labels.

After all I read about AppArmor and SELinux even Novell’s comparison of the two systems doesn’t help giving me a better opinion about AppArmor. The information shown there isn’t what I had expected, they’re repeating themselves to fill the page and the point about SELinux’ low adoption rate is a joke.
Just like Novell’s distros AppArmor is targeted at the normal user.
As I have probably mentioned in my previous post, plans to integrate AppArmor into my distro EasyLFS have been frozen, if not terminated. One reason is that I do not really believe in the security AppArmor offers, and also because EasyLFS is targeted at experienced users, which I expect to be capable of configuring SELinux.

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on Facebook (Opens in new window)

Related

Article by reptiler / Community Blogs

Learn Unix

I run Unix Tutorial website and help anyone interested to pick up Unix skills. If you have questions or just want to share your ideas – please join the Unix Tutorial on Facebook.

Tech Stack Solutions

Tech Stack Solutions is my company that provides Unix support. Sign up or simply get in touch to find out how I can help!

Search this Website

You May Also Like

Recent Posts

  • Advice on using SUDO
  • FFmpeg 4.0
  • KDE Plasma 5.9.0 Release
  • How to Install Ubuntu Linux without a DVD or USB
  • How to Securely Save All Your Passwords with Keepass
  • 9 Signs You Should Use Linux on Your Computer
  • The Easiest Way to Optimize Your MySQL Database Performance
  • Setting up a Linux Web Development Environment in Windows
  • Hunting Down Disk Space Hogs on Linux Command Line
  • 6 Simple Android Apps for Monitoring and Managing Your Linux Server

Archives

Categories

  • Community Blogs
  • Images and Screenshots
  • News
  • Technical Topics
  • Useful Articles

Basic Unix Commands

Basic Unix Commands
  • ls command
  • mkdir command
  • man command in unix
  • cd command - change directory
  • uname command

Advanced Unix Commands

Advanced Unix Commands
  • ln command - symlinks
  • tune2fs unix command - filesystem parameters
  • du command - disk usage
  • lsb_release command
  • find unix command

Unix Reference

Unix Reference
  • SSH port forwarding
  • unix commands
  • visudo tutorial
  • mtime unix
  • lrwxrwxrwx
  • Unix Tutorial digest

Unix Books

Unix Tutorials

Unix How-Tos
  • check raspbian version
  • autostart in KVM
  • List files in Ubuntu package
  • check CentOS version
  • create bootable USB in MacOS
  • Useful Articles
  • Blogs
  • Images
  • Tips
  • Archives

Copyright © 2023 · Education Pro Theme on Genesis Framework · WordPress · Log in