Counterpoint
Total Page:16
File Type:pdf, Size:1020Kb
COVER STORY AppArmor vs. SELinux Novell and Red Hat security experts face off on AppArmor and SELinux COUNTERPOINT www.photocase.com Security Enhanced Linux or App Armor? Linux Magazine invited two well-known per- sonalities from Red Hat and Novell to debate the merits of their security systems. BY ACHIM LEITNER ovell and Red Hat are currently complexity of the resulting software. The doing battle to establish their re- Crispin Cowan, Novell Strict Policy that SELinux first provided Nspective products as competitive AppArmor[1] and SELinux have similar was found to be too strict to be usable, protection systems for Linux. Whereas goals of improving Linux security, but and so SELinux actively moved towards Red Hat adopted SELinux years ago, No- the goals differ in detail. AppArmor se- the AppArmor model with the Targeted vell introduced their AppArmor protec- cures individual applications against la- Policy, which simulates AppArmor’s tion system after acquiring Immunix. tent defects, and pro- Both systems are licensed under the tects an entire system Figure 1: Crispin Cowan: GPL, both aim to make Linux more se- against a particular “Simplicity is the soul of cure, and both give administrators more threat such as network security…SELinux seems to control over applications privileges. attack, by protecting all have been designed to meet We asked spokesmen from Novell and applications that face the NSA’s desire for arbi- Red Hat to explain why their security the network. SELinux trarily complex policy at the system is the best. Crispin Cowan, who instead sought to con- expense of usability…App- came to Novell from Immunix, will be trol the whole system, Armor was designed for talking first about the advantages of including assuring usability – to meet the needs AppArmor. Then Daniel Riek will ex- properties like informa- of most Linux users.” plain why Red Hat will be sticking with tion flow, and SELinux SELinux. paid the price in the 40 ISSUE 69 AUGUST 2006 WWW.LINUX - MAGAZINE.COM AppArmor vs. SELinux COVER STORY Crispin Cowan to have been designed to meet the NSA’s desire for arbitrarily complex policy at Crispin Cowan was the CTO and founder LSM (Linux Security Modules) interface the expense of usability. Poor usability is of Immunix, Inc., which was recently ac- in Linux 2.6. critical, because it often causes security quired by Novell. Dr. Cowan now works Dr. Cowan also co-invented the “time-to- to not be deployed at all, and SELinux is as an architect for Novell with respect to patch” method of assessing when it is often disabled when users find the pol- security for the Linux platform and appli- safe to apply a security patch. Prior to icy too difficult to manage. AppArmor cations that Novell offers for Linux, and founding Immunix, he was a professor with particular attention to the App- with the Oregon Graduate Institute was designed for usability – to meet the Armor product that came with the Im- Department of Computer Science and needs of most Linux users, both home munix acquisition. Dr. Cowan developed Engineering. He holds a Ph.D. from and enterprise. Try it for yourself: several host security technologies, the University of Western Ontario and AppArmor is available for Slackware, including the StackGuard compiler a Masters of Mathematics from the Ubuntu, Gentoo, Red Hat, Pardus, and defense against buffer overflows and the University of Waterloo. integrated into all new editions of Suse Linux for the x86, x86-64, Itanium, per-application access control model. icy is built in 5 minutes. The AppArmor Power, and Z-series architectures. AppArmor lets administrators confine Apache profile is 133 lines, while the applications in familiar terms: you spec- corresponding SELinux Apache policy Daniel Riek, Red Hat ify the application to be confined and is 826 lines. Magnus Runesson reports SELinux applies strict MAC-based access the files to be accessed with absolute he was able to port AppArmor to Ubuntu controls at kernel level (see the article path names, followed by familiar read in less time than it took him to compre- on SELinux). It mititages the impact of and write access modes. Groups of files hend and modify an SELinux policy. successful attacks, guarantees the confi- are granted using traditional shell wild- Despite AppArmor’s relative simplic- dentiality of data, and fulfills complex cards, so /home/*/public_html/**.html r ity, it can also provide security protec- security demands thanks to context- grants read access to all .html files in tion that SELinux cannot. AppArmor dependent domain changes. everyone’s public_html tree. provides for sub-process confinement of The first company to announce SE- SELinux instead applies labels to files portions of a process, something which Linux support in a commercial product and processes and defines security pol- SELinux has recently added. However, was Novell, although this did not mean icy in terms of which labels can access AppArmor also comes with an Apache that they provided a policy suitable for which other labels. Labeled access con- module to use this feature, so that users production use. At this point, the policy trols are an established technique from can create AppArmor profiles for things was not suitable for a widespread mar- the 1970s, however labels in the general as small as a perl script executed by ket: too strict, too many restrictions for case significantly hinder usability: mod_perl, or even an individual PHP user application, and certainly some- • You must label the file system and cre- page. I know of no other technology that what over the top. It was Red Hat that ate security policy as separate steps, can confine individual PHP pages. launched the first mature, and produc- creating a circular dependency for the tion-capable product. Every Red Hat En- user between specifying labels and No Need for Changes terprise Linux 4 installation, and Fedora specifying policy. AppArmor is transparent to the applica- installation, enables SELinux for central • Some applications such as tar do not tion. No application modification is network services by default. preserve labels, so data archived and needed to use AppArmor, except for sub- restored with tar will lose its labels. process confinement, which requires Global Community • NFS mounted filesystems cannot sup- some cooperation from the protected SELinux is supported by a large and ac- port labels, so the whole file system process. That cooperation can be tive community. Besides non-commer- gets a single label. Thus all network achieved using a module if the applica- cial users and providers, the community file systems get an all-or-nothing tion supports modules. If AppArmor is includes Red Hat, IBM, HP, NSA, DOD, policy decision: each application can abruptly removed, the system continues Tresys, and Trusted Computing Systems. either access the entire file system or to function identically the way it worked These organizations all cooperate on im- none of it. with AppArmor in place, except that it is Simplicity is the soul of security: the now more vulnerable to attack. Figure 2: Daniel more complex a system is, the more SELinux can only apply some of its Riek: “…would likely it is to be configured badly. Worse, features to un-modified applications; the you want your if a security policy cannot be under- full feature set is only available if you re- credit card data stood, then it is no policy at all; it is a link the application to libselinux, which stored on a black box that you hope provides some is feasible for open source applications, server whose protection, but you really don’t know. but problematic for proprietary enter- security policy prise applications. was created by a Much Simpler novice user using AppArmor is considerably simpler than App Armor Preferred Yast and App- SELinux. This can be seen in this video AppArmor and SELinux both provide Armor’s complain from Fosdem[2], where an Apache pol- high quality security. But SELinux seems mode?” WWW.LINUX - MAGAZINE.COM ISSUE 69 AUGUST 2006 41 COVER STORY AppArmor vs. SELinux proving policies, developing a powerful even boasts that AppArmor does not policies. The question is if this can still be auditing infrastructure and policy devel- guarantee data confidentiality, in con- considered Mandatory Access Control. opment tools [4], providing trouble- trast to SELinux, claiming that this fea- shooting support, and advising users. ture is only useful to secret services. A Question of Flexibility In contrast to this, Novell dropped SE- Not a word is lost about credit card The claim that AppArmor is more flexi- Linux last year, and started to promote data, customer data, medical records, ble than SE-Linux is not based on factual AppArmor, which it had recently ac- accounts data, Basel II, and Sabranes- evidence. Admittedly, an AppArmor con- quired from Immunix, as a more simple Oxley compliance… figuration can be modified more quickly, alternative. Instead of investing in coop- And the claim that you need to rebuild because it defines a less secure system. eration within the OSS community, and applications for SELinux is misleading. But this has nothing to do with flexibil- helping to make SELinux easier to use, With SELinux, the security context after ity. AppArmor’s unidimensional profile Novell decided to fork the security archi- launching a new process depends on design does not give you the same level tecture in Linux, and hand off responsi- who launched the process in which of security and flexibility that SELinux’s bility to developers and users, in an ap- context. There is no need to change the dynamic security context changes do. A proach that reminded Dan Walsh, the application to do this, and security con- program can run with different privi- head of SELinux development at Red Hat, texts are clearly defined.