COVER STORY AppArmor vs. SELinux

Novell and Red Hat security experts face off on AppArmor and SELinux COUNTERPOINT www.photocase.com Security Enhanced or App Armor? Linux Magazine invited two well-known per- sonalities from Red Hat and to debate the merits of their security systems. BY ACHIM LEITNER

ovell and Red Hat are currently complexity of the resulting software. The doing battle to establish their re-  Crispin Cowan, Novell Strict Policy that SELinux first provided Nspective products as competitive AppArmor[1] and SELinux have similar was found to be too strict to be usable, protection systems for Linux. Whereas goals of improving Linux security, but and so SELinux actively moved towards Red Hat adopted SELinux years ago, No- the goals differ in detail. AppArmor se- the AppArmor model with the Targeted vell introduced their AppArmor protec- cures individual applications against la- Policy, which simulates AppArmor’s tion system after acquiring . tent defects, and pro- Both systems are licensed under the tects an entire system Figure 1: Crispin Cowan: GPL, both aim to make Linux more se- against a particular “Simplicity is the soul of cure, and both give administrators more threat such as network security…SELinux seems to control over applications privileges. attack, by protecting all have been designed to meet We asked spokesmen from Novell and applications that face the NSA’s desire for arbi- Red Hat to explain why their security the network. SELinux trarily complex policy at the system is the best. Crispin Cowan, who instead sought to con- expense of usability…App- came to Novell from Immunix, will be trol the whole system, Armor was designed for talking first about the advantages of including assuring usability – to meet the needs AppArmor. Then Daniel Riek will ex- properties like informa- of most Linux users.” plain why Red Hat will be sticking with tion flow, and SELinux SELinux. paid the price in the

40 ISSUE 69 AUGUST 2006 WWW.LINUX - MAGAZINE.COM AppArmor vs. SELinux COVER STORY

Crispin Cowan to have been designed to meet the NSA’s desire for arbitrarily complex policy at Crispin Cowan was the CTO and founder LSM () interface the expense of usability. Poor usability is of Immunix, Inc., which was recently ac- in Linux 2.6. critical, because it often causes security quired by Novell. Dr. Cowan now works Dr. Cowan also co-invented the “time-to- to not be deployed at all, and SELinux is as an architect for Novell with respect to patch” method of assessing when it is often disabled when users find the pol- security for the Linux platform and appli- safe to apply a security patch. Prior to icy too difficult to manage. AppArmor cations that Novell offers for Linux, and founding Immunix, he was a professor with particular attention to the App- with the Oregon Graduate Institute was designed for usability – to meet the Armor product that came with the Im- Department of Computer Science and needs of most Linux users, both home munix acquisition. Dr. Cowan developed Engineering. He holds a Ph.D. from and enterprise. Try it for yourself: several host security technologies, the University of Western Ontario and AppArmor is available for , including the StackGuard compiler a Masters of Mathematics from the , Gentoo, Red Hat, Pardus, and defense against buffer overflows and the University of Waterloo. integrated into all new editions of Suse Linux for the x86, x86-64, Itanium, per-application access control model. icy is built in 5 minutes. The AppArmor Power, and Z-series architectures. AppArmor lets administrators confine Apache profile is 133 lines, while the applications in familiar terms: you spec- corresponding SELinux Apache policy  Daniel Riek, Red Hat ify the application to be confined and is 826 lines. Magnus Runesson reports SELinux applies strict MAC-based access the files to be accessed with absolute he was able to port AppArmor to Ubuntu controls at kernel level (see the article path names, followed by familiar read in less time than it took him to compre- on SELinux). It mititages the impact of and write access modes. Groups of files hend and modify an SELinux policy. successful attacks, guarantees the confi- are granted using traditional shell wild- Despite AppArmor’s relative simplic- dentiality of data, and fulfills complex cards, so /home/*/public_html/**.html r ity, it can also provide security protec- security demands thanks to context- grants read access to all .html files in tion that SELinux cannot. AppArmor dependent domain changes. everyone’s public_html tree. provides for sub-process confinement of The first company to announce SE- SELinux instead applies labels to files portions of a process, something which Linux support in a commercial product and processes and defines security pol- SELinux has recently added. However, was Novell, although this did not mean icy in terms of which labels can access AppArmor also comes with an Apache that they provided a policy suitable for which other labels. Labeled access con- module to use this feature, so that users production use. At this point, the policy trols are an established technique from can create AppArmor profiles for things was not suitable for a widespread mar- the 1970s, however labels in the general as small as a perl script executed by ket: too strict, too many restrictions for case significantly hinder usability: mod_perl, or even an individual PHP user application, and certainly some- • You must label the file system and cre- page. I know of no other technology that what over the top. It was Red Hat that ate security policy as separate steps, can confine individual PHP pages. launched the first mature, and produc- creating a circular dependency for the tion-capable product. Every Red Hat En- user between specifying labels and No Need for Changes terprise Linux 4 installation, and Fedora specifying policy. AppArmor is transparent to the applica- installation, enables SELinux for central • Some applications such as tar do not tion. No application modification is network services by default. preserve labels, so data archived and needed to use AppArmor, except for sub- restored with tar will lose its labels. process confinement, which requires Global Community • NFS mounted filesystems cannot sup- some cooperation from the protected SELinux is supported by a large and ac- port labels, so the whole file system process. That cooperation can be tive community. Besides non-commer- gets a single label. Thus all network achieved using a module if the applica- cial users and providers, the community file systems get an all-or-nothing tion supports modules. If AppArmor is includes Red Hat, IBM, HP, NSA, DOD, policy decision: each application can abruptly removed, the system continues Tresys, and Trusted Computing Systems. either access the entire file system or to function identically the way it worked These organizations all cooperate on im- none of it. with AppArmor in place, except that it is Simplicity is the soul of security: the now more vulnerable to attack. Figure 2: Daniel more complex a system is, the more SELinux can only apply some of its Riek: “…would likely it is to be configured badly. Worse, features to un-modified applications; the you want your if a security policy cannot be under- full feature set is only available if you re- credit card data stood, then it is no policy at all; it is a link the application to libselinux, which stored on a black box that you hope provides some is feasible for open source applications, server whose protection, but you really don’t know. but problematic for proprietary enter- security policy prise applications. was created by a Much Simpler novice user using AppArmor is considerably simpler than App Armor Preferred Yast and App- SELinux. This can be seen in this video AppArmor and SELinux both provide Armor’s complain from Fosdem[2], where an Apache pol- high quality security. But SELinux seems mode?”

WWW.LINUX - MAGAZINE.COM ISSUE 69 AUGUST 2006 41 COVER STORY AppArmor vs. SELinux

proving policies, developing a powerful even boasts that AppArmor does not policies. The question is if this can still be auditing infrastructure and policy devel- guarantee data confidentiality, in con- considered . opment tools [4], providing trouble- trast to SELinux, claiming that this fea- shooting support, and advising users. ture is only useful to secret services. A Question of Flexibility In contrast to this, Novell dropped SE- Not a word is lost about credit card The claim that AppArmor is more flexi- Linux last year, and started to promote data, customer data, medical records, ble than SE-Linux is not based on factual AppArmor, which it had recently ac- accounts data, Basel II, and Sabranes- evidence. Admittedly, an AppArmor con- quired from Immunix, as a more simple Oxley compliance… figuration can be modified more quickly, alternative. Instead of investing in coop- And the claim that you need to rebuild because it defines a less secure system. eration within the OSS community, and applications for SELinux is misleading. But this has nothing to do with flexibil- helping to make SELinux easier to use, With SELinux, the security context after ity. AppArmor’s unidimensional profile Novell decided to fork the security archi- launching a new process depends on design does not give you the same level tecture in Linux, and hand off responsi- who launched the process in which of security and flexibility that SELinux’s bility to developers and users, in an ap- context. There is no need to change the dynamic security context changes do. A proach that reminded Dan Walsh, the application to do this, and security con- program can run with different privi- head of SELinux development at Red Hat, texts are clearly defined. Only very few leges depending on who launches it and and others, of the legacy Unix issues [5]. programs require modifications. from which context. This allows for ex- The AppArmor FAQ has this to say AppArmor’s sub-process restrictions tremely flexible security profiles. about security: “Using the YaST GUI, it’s allow you to run, for example, PHP The SELinux architecture is also suit- a straightforward task for novice users to scripts via mod_php in a context differ- able for security designs beyond MAC. develop security profiles, while power ent from the context of Apache itself, al- And the MLS and MCS implementations users retain the flexibility they need to though both run within the same pro- provide ample evidence that the design create finely-tuned profiles.” But would cess. The FAQ mentions that this is only works (see the article on SELinux). Both you want your credit card data stored on possible with a special version of store attributes as extended filesystem a server whose security policy was cre- Apache with modifications by Novell. attributes and thus support seamless in- ated by a novice user using Yast and In other words, AppArmor needs to tegration with the SELinux policy. AppArmor’s complain mode? In contrast rebuild, too, from time to time. to this, Red Hat focuses on enterprise The design of AppArmor has enor- SELinux Preferred use. Software vendors provide verified mous disadvantages: there is nothing to SELinux is the most consistent imple- SELinux policies that customers config- stop malevolent code injected by an at- mentation of Mandatory Access Control ure within the framework of validated tacker into the PHP context from run- in a standard product today. It derives parameters. ning in the Apache context later. After from a fundamental understanding of all, they use the same memory sector. the way attacks on IT systems work. Does More Code hit by an exploit can’t give you se- This said, hackers are always one step Of course App Armor is easier to config- curity! Thus, this scenario will permit ahead in the race to discover the next ure because it addresses a far smaller escalation of privileges – that’s a bug not major exploit. The architecture needs to group of security problems. The FAQ a feature. take this into account and guarantee that even a successful hack does not cause Daniel Riek Labels vs. Pathnames serious problems. Daniel Riek (Figure 2) has been Product The situation with the filesystem argu- The decision of SELinux or AppArmor Manager since ment is similar: SELinux uses security is the choice between a comprehensive the beginning of 2006. He joined the labels, which are stored as extended at- security architecture on the one hand, company in mid-2003. Before moving to tributes for filesystem objects. Novell and local ad hoc improvements on the product development, Riek was a Solu- views this as an extension that is only other. The typical security demands tion Architect and provided pre-sales supported by specific filesystems. In made by Red Hat Enterprise Linux users customer advisory services. fact, extended attributes are a standard can only be truly met by the more com- Riek founded ID-PRO, an Internet and feature that just a few filesystems lack, plex SELinux. ■ GNU/ Linux service provider, while he and thus more of an argument against was studying computer science at at the Novell’s favorite, Reiser FS. INFO University of Bonn, Germany; and the AppArmor uses pathnames in its pro- company grew to become an interna- [1] AppArmor: files, but they can’t guarantee security. http:// www. . org/ AppArmor tional player. In 2001, Riek moved from ID-PRO to the French free software ser- Whereas SELinux’s -linked security [2] AppArmor video: vice provider, Alcove, where he was re- labels refer to actual filesystem objects, ftp:// ftp. belnet. be/ pub/ mirror/ FOSDEM/ FOSDEM2006-. avi sponsible for activities in Germany and App Armor’s pathnames use an abstrac- mainly dealt with key accounts from IT tion layer that doesn’t necessarily reflect [3] SELinux: http:// www. nsa. gov/ selinux/ and banking. Riek was a member of the the real filesystem. Symbolic links are a [4] Developing SELinux policies: LIVE Linux association’s board for many simple example of the multi-faceted is- http:// selinuxnews. org years, and the organization’s spokes- sues. An object can use multiple path- [5] Interview with Dan Walsh: http:// person. names and thus be governed by different danwalsh. livejournal. com/ 424. html

42 ISSUE 69 AUGUST 2006 WWW.LINUX - MAGAZINE.COM