http://lwn.net/Articles/166975/ This is a special feed containing comments posted to the individual LWN article titled "Novell releases AppArmor". hourly 2 http://lwn.net/Articles/167951/rss 2006-01-17T02:43:29+00:00 etbe With SE Linux there are access controls to determine which processes can <br> create a hard link to a file. For example with the strict policy most <br> processes on the system are not permitted to create hard links to files <br> in /etc. I believe that some of the Common Criteria certifications <br> require that the system label Inodes not file names so any system that <br> doesn't do something similar to what SE Linux does will not do well in <br> certification. <br> <br> In a conventional Unix system there is nothing preventing you from having <br> a /etc/shadow file in a chroot environment with different permissions to <br> the "real" one. <br> <br> A bigger problem for AppArmor is the fact that file specs are relative to <br> the root of a file system. So /etc/shadow is equivalent <br> to /home/etc/shadow if /home is a separate file system. <br> http://lwn.net/Articles/167764/rss 2006-01-16T11:55:19+00:00 nix I concur. Powerful (if less powerful than SELinux) and usable enough that mortal non-professional paranoids can write policies :)<br> <p> (The low performance hit is a nice extra too.)<br> http://lwn.net/Articles/167763/rss 2006-01-16T11:53:47+00:00 nix Well, as I understand it AppArmor uses the filename to *look up* the inode number and then tags the inode. Obviously no other system would be secure under hardlinks, especially if as standard POSIX semantics demand any user can hardlink files owned by other users into directories they control. (I think it reasonable to assume that any system designed by Crispin Cowan wouldn't have a design flaw as large as you imply in it!)<br> <p> Obviously the AppArmor globbing/regexing thing is something which should be used with care: don't put wildcards at the front of the name!<br> <p> What might really cause problems for AppArmor, and for any filename-based system, is wide use of filesystem namespaces. If /etc/shadow refers to a different file depending on the PID, what do you do?<br> <p> (Mind you, this screws up conventional Unix security as well. I think that no matter what you do to the filesystem namespace, / and /etc had better remain non-writable by anyone but root.)<br> http://lwn.net/Articles/167661/rss 2006-01-14T00:27:20+00:00 etbe In the Unix permission scheme (IE user, group, and other having RWX bits) <br> the file name is NOT used for access control. If for example I use the <br> "mv" command to rename a file it will have the same permissions after the <br> rename operation. Any MAC system which does not control access based on <br> the Inode (as SE Linux does with XATTRs that are associated with the <br> Inode) will not preserve the same semantics as Unix permissions in regard <br> to renaming files. <br> <br> Then there's the issue of hard-links. In Unix file systems a file with <br> hard links does not have one canonical name, each of the hard links can <br> be considered equally authoritative. When access is based on a regular <br> expression and you have two different regexes matching different hard <br> links to a file then you have different access granted to a file <br> depending on which name you use to access it. <br> <br> For a comprehensive MAC system you want to be able to audit the <br> policy. For example to secure the /etc/shadow file we want to know which <br> domains can read/write it and which programs can be used to enter those <br> domains so that we know which programs to audit to verify that there is <br> no possibility of stealing or changing passwords. Such analysis is not <br> possible when the programs that have access to the shadow file may have <br> different labels depending on which name is used to access them. <br> <br> A further complication of AppArmor is that file paths seem only valid <br> within a file system. So if /home is a separate file system then a <br> hostile user could request that the administrator give them an account <br> name which matches a regular expression for some system files. Think <br> about if a user had an account named "lib" or "opt"... <br> <br> http://lwn.net/Articles/167640/rss 2006-01-13T21:05:07+00:00 nix Well, yes, except that in SELinux all security policies are applied to types (which are a labelling scheme of sorts, therefore). This means that you end up needing a *lot* of types and a massive tangle of relationships between files, types, and security policies...<br> <p> ... I can see that it's more flexible than AppArmor, but ye gods is it also more complex, and TBH most of us just don't need that complexity.<br> http://lwn.net/Articles/167552/rss 2006-01-13T13:59:53+00:00 davecb I used to work on B2 Multics, and never even noticed that<br> they were running mandatory security. I've since lived<br> for some years with a Trusted Solaris 7 system, and<br> only the sysadmin was different. I expect SE Linux<br> will become as easy to use.<br> <p> And, just by the way, the labels are things like<br> "secret" "confidential" and "unclassified", not<br> labels like filenames.<br> <p> --dave<br> http://lwn.net/Articles/167551/rss 2006-01-13T13:56:47+00:00 davecb This is a **very** nice approach.<br> <p> --dave (former professional paranoid) c-b<br> http://lwn.net/Articles/167401/rss 2006-01-12T13:29:39+00:00 nix I've been avoiding SELinux because of its sheer complexity and overdesign: I don't need labelled security, and neither does anyone else I know: filenames are perfectly adequate labels. This looks *much* more maintainable (as in `practical for a mortal human to write a set of policies'). It's very nice that there's now a demarcation between `coarse root-only security' and SELinux.<br> <p> (And, hey, something that uses capabilities for something near their intended purpose! Wow!)<br>