Linux security non-modules and AppArmor
Posted Jun 29, 2007 7:50 UTC (Fri) by dlang
(✭ supporter ✭
In reply to: Linux security non-modules and AppArmor
Parent article: Linux security non-modules and AppArmor
yes, some people don't know what they are talking about on all sodes of any topic.
however there are many people who do make a living in security who do see value in AppArmor, but you just dismiss them as not thinking things through or not understanding security.
you are trying to define security == SELinux
by your definition, anyone who proposes anything else just doesn't know what they are talking about.
there are applications where you really want the security context to follow the data file the way labels do in SELinux (think of a file containing your credit card number, you don't want the security on it to change just becouse you renamed it)
however in other cases all that really matters is what you would access by a particular name. (for example, the contents of what used to be called /etc/resolv.conf is of no value, all that matters is the current contents)
useing either approach to address the pther type of problem will only cause grief. SELinux was born in the NSA where they primarily deal with securing specific data, no matter where it moves. and there labeling data is the natural and best answer.
AppArmor approaches the security from the opposite direction. instead of labeling all the data and then defining what can access what it instead takes the approach of useing a 'label' that is already on the system, the pathname you use to access the file. It then lets you set rules about which of these labels a program can access.
another way of looking at AppArmor is that instead of being data-centric (identify the data you care about and list all the programs that access it) it's process-centric (identify the programs you care about and list all the data it can access)
SELinux is better if you are trying to defend a system against hostile local users. but since re-labeling data is extremely expensive you need to do a lot of analysis first.
Since AppArmor uses labels that already exist on the system, makeing radical changes to how any program can access any data doesn't require re-labeling any of the data (which can have secondary effects on policies for other programs that access the data), all you need to do is change the rules related to the program
There are other technical trade-offs involved in the implementation.
for AppArmor the hard thing (besides getting into the kernel) is determining the path for the thing being accessed.
SELinux has different problems
what to label new files that are created
how to configure a policy to grant access to a new file automaticaly
the need for special tools when manipulating data to change the label
the need to figure out the path for AppAromor on one side vs the issues in figuring out what label a new file should have in SELinux
to post comments)