SELinux vs. AppArmor vs. Standard vs. What?

Lisa Kachold lisakachold at obnosis.com
Sat Nov 1 19:41:54 MST 2008 

I am going to dissect this post (item by item) - you will have to deal with that!

See Below:

> Subject: Re: SELinux vs. AppArmor vs. Standard vs. What?
> From: ted at gould.cx
> To: plug-discuss at lists.plug.phoenix.az.us
> Date: Sat, 1 Nov 2008 02:20:37 +0000
> 
> 
> I'm going to top post, you'll have to deal :)
> 
> I think that the three come down to what are your goals.  One of the
> goals of SELinux is to make it so that it can be configured to the point
> of not having a root user.  

The goal of SELinux is to limit binary processes to files.

Reference:  http://www.usenix.org/events/sec03/tech/full_papers/jaeger/jaeger_html/node2.html

It has nothing to do with root users, or permissions for users other than it provides an object framework upon them.

SELinux is a wrapper OVER root users, regular process permissions.

Reference:  http://packages.debian.org/etch/selinux-policy-refpolicy-targeted

> Basically so the IT guy can't read the
> president's e-mail.  This is very cool if you need that level of
> security -- but I'm guessing you're not sending nuclear launch codes (or
> at least I hope not).  The problem comes down to, with flexibility and
> power you definitely have enough rope to shoot yourself in the foot.

Negative - the IT guy CAN STILL read the president's email if he has server access and permissions.

Reference:  http://whitepapers.zdnet.com/abstract.aspx?docid=286306

I know of no SELinux policy that excludes root or IT access from reading email.

[Irregardless - the IT staff generally can sniff network packets and payloads therefore they can read all SMTP which is CLEAR TEXT transmissions anyway...]


> I've talked with the folks implementing AppArmor in Ubuntu a lot about
> this, and one of the problems that we saw is that almost any Fedora
> HOWTO on the Internet starts with "disable SELinux."  I'm not sure how
> many Fedora systems have it running and how many don't, but I'm guessing
> that a fair number don't because of this.  Not good.

During build, it's appropriate to disable SELinux, then run the Wizard or setup your policy once your server is setup.

Evidently you have not read through nor implemented either SELinux or Apparmour (these are standard tasks).

SELinux uses iode addressing for security; AppArmour (developed by C. Cowen as part of Immunix - later Novell Suse) uses file based security.

AppArmour is installed with kernel locking generally for Suse.  Added onto to Ubuntu, it's just a file based protection.  
Easy to implement Wizards and file based tuning for policies are available.

Bot SELinux and AppArmour are as easy to SECURELY build and implement PROPERLY and PROFESSIONALLY (following all the instructions) as:

Nagios
Exim/PostFix/MailScanner/Sendmail
PHP/MySQL
Postgresql
Iptables
Tripwire
XEN 
Bind 9
SSL/SSH

(all standard professional tools for modern systems administrators)

> One of the things that AppArmor does (which isn't as restrictive) is do
> more wild cards and different configurations that get evaluated at
> runtime.  It is more dynamic that SELinux.  This makes it easier to
> configure but also less robust in really well defined locked down
> environments.
> 
> I think an interesting example of using AppArmor is the new guest
> account feature in Intrepid.  We basically dynamicly create an account
> and lock it down with AppArmor to make sure that the guest can't do
> anything crazy.

That is a standard policy in AppArmor, not Intrepid.

> All in all, unless you're a spy agency I would say that having someone
> configuring the computer who understands security and configuring a
> computer to be secure matters more than any of the technologies you
> choose.
> 
> 		--Ted
> 
> 
> On Fri, 2008-10-31 at 16:19 -0700, Alan Dayley wrote:
> > Thanks for all the responses to my remote desktop login question.  I'm
> > pretty sure we will deploy FreeNX for that function.
> > 
> > This question has to do with the same server.  A tech savvy manager
> > says we should use "NSA Linux" on the remote desktop host server.
> > What he means is use the SELinux security features.
> > 
> > Now, I don't have lots of experience with setup and maintainence of
> > SELinux.  I hAve read that it is painful and requires more
> > administration than just "set and forget."
> > 
> > A similar technology is the AppArmor profiles for applications.  Said
> > to be easier to use than SELinux but provides much the same benefits.
> > 
> > Then a third camp seems to think that both of these are overkill and a
> > headache for the benefits gained.  They feel that, configured
> > correctly, standard user security on a Linux box is secure enough for
> > most business applications.
> > 
> > Where do any of you stand on this argument?  Is SELinux really a pain
> > to setup and use?  Is AppArmor interesting but not worth it?
> > 
> > Given the function of the server as I previously described in that
> > other thread (http://lists.plug.phoenix.az.us/lurker/thread/20081030.230820.05346d48.en.html#20081030.230820.05346d48),
> > What security extensions would you deploy and why?
> > 
> > Alan
> > ---------------------------------------------------
> > PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> > To subscribe, unsubscribe, or to change your mail settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

_________________________________________________________________
You live life beyond your PC. So now Windows goes beyond your PC.
http://clk.atdmt.com/MRT/go/115298556/direct/01/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20081102/39c3fbe6/attachment.htm

More information about the PLUG-discuss mailing list