LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

SELinux and AppArmor

SELinux and AppArmor

Posted Oct 15, 2009 12:57 UTC (Thu) by Cyberax (✭ supporter ✭, #52523)
In reply to: SELinux and AppArmor by rahulsundaram
Parent article: Walsh: Google Chrome Policy

First, the insufficiency of path-based approach is a FUD. It works just fine.

Of course, label-based approach of SELinux is more powerful. But what good do these features do if I need to spend days just to write a basic policy?

AppArmor is 'good enough' for most purposes (like, confining a daemon to read only certain directories). For example, this very FireFox is confined to read and write only several directories by AppArmor on my system.

And its policy is clear enough so even a newbie administrator can understand it.

(Log in to post comments)

SELinux and AppArmor

Posted Oct 16, 2009 15:50 UTC (Fri) by rahulsundaram (subscriber, #21946) [Link]

You claim that the argument from a security expert is FUD even though several other experts agree with it. Alright, prove your counter argument. Write a quick AppArmor policy that covers Chrome comprehensively. If it is really as easy as you claim, then it shouldn't any problem, right? Let's deal with reality. SELinux policies are complex because security is complex and if the alternative was so easy, why doesn't it have any developers like you admit yourself?

SELinux and AppArmor

Posted Oct 16, 2009 18:22 UTC (Fri) by dlang (✭ supporter ✭, #313) [Link]

it all depends what experts you decide are qualified to give opinions.

there are many security people out there who consider SELinux far too complicated for normal use, and who see benefits in AppArmor.

SELinux and AppArmor

Posted Oct 16, 2009 20:08 UTC (Fri) by nix (subscriber, #2304) [Link]

I suppose it doesn't have any developers because SuSE fired all its
developers and its main developer went to work for Microsoft.

Oh, also because the SELinux people fought tooth and nail to keep it out
of the kernel.

Some prophecies are self-fulfilling.

SELinux and AppArmor

Posted Oct 16, 2009 20:20 UTC (Fri) by dlang (✭ supporter ✭, #313) [Link]

canonical has people working on AppArmor, so it's not quite 'no developers' any more.

but the tooth and nail fight to keep it out of the kernel would do a lot to discourage development.

SELinux and AppArmor

Posted Oct 17, 2009 0:48 UTC (Sat) by rahulsundaram (subscriber, #21946) [Link]

That's hilariously wrong. James Morris, SELinux developer at Red Hat is the security sub-system maintainer in the upstream kernel and he has not only accepted alternatives to SELinux and merged them, he also regularly blogs about progress and even expressed hope that AppArmor would get merged

http://blog.namei.org/

SELinux and AppArmor

Posted Oct 17, 2009 2:18 UTC (Sat) by dlang (✭ supporter ✭, #313) [Link]

I will admit that I do not remember James objecting, but he also hasn't been saying anything to disagree with Stephen Smalley (the other SELinux maintainer) who has been _very_ vocal in his opposition.

SELinux and AppArmor

Posted Oct 17, 2009 3:04 UTC (Sat) by rahulsundaram (subscriber, #21946) [Link]

Stephen Smalley is one of the many SELinux developers but his objections were pretty specific. Some of them were even addressed in subsequent versions of the patch set. I don't see any reasons to object to valid technical criticism.

SELinux and AppArmor

Posted Oct 17, 2009 3:19 UTC (Sat) by dlang (✭ supporter ✭, #313) [Link]

I don't object to valid technical criticism.

however when that becomes 'it doesn't handle this case that SELinux does, so it must be worthless', that stops being valid technical criticism, and the objections have frequently gotten to that stage (and, no, my memory is not good enough to remember exactly who made which objections)

SELinux and AppArmor

Posted Oct 17, 2009 3:44 UTC (Sat) by rahulsundaram (subscriber, #21946) [Link]

It seems you are badly paraphrasing comments elsewhere. If you point a specific link, it would be useful to know what was actually said. Some of the discussions involved the problem that the goals described the developers while submitting the patchset didn't match the patches.

It is ok for a security solution to address a specific subset of the problems while leaving others as outside the scope but the documentation should explicitly say so. If it doesn't then it makes it harder to merge those patches. Smack did a good job of describing the scope of the problem it was trying to address.

SELinux and AppArmor

Posted Oct 16, 2009 21:17 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]

AppArmor is not ideologically pure, that's why experts don't like it.

But it's _simple_. And it works.

I don't know what's inside the Chrome policy, but you can see the FireFox policy here:

SELinux and AppArmor

Posted Oct 18, 2009 15:47 UTC (Sun) by kleptog (subscriber, #1183) [Link]

My one run in with AppArmor was getting a weird error message from tcpdump. Turns out it was forbidden from reading files outside of /home???

Disabling AppArmor solved the problem. SELinux hasn't got a monopoly on obscure error messages.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds