Re: AppArmor FAQ

From: David Wagner
Date: Tue Apr 17 2007 - 17:58:15 EST

Next message: Mikko Tiihonen: "[PATCH v3] hpet: Detect hidden HPET on NVidia motherboards"
Previous message: Matt Mackall: "Re: [Announce] [patch] Modular Scheduler Core and Completely Fair Scheduler [CFS]"
In reply to: Karl MacMillan: "Re: AppArmor FAQ"
Next in thread: Alan Cox: "Re: AppArmor FAQ"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Karl MacMillan wrote:
>I don't think that the ease-of-use issue is clear cut. The hard part of
>understanding both SELinux policies and AppArmor profiles is
>understanding what access should be allowed. [...]
>Whether the access is allowed with the SELinux or
>AppArmor language seems like a small issue in comparison. Given that I
>think it is better to choose the solution that is complete and capable
>of meeting the most security concerns.

I have a different reaction. Given that the ease of use vs
completeness issues are not completely understood, I would think
it would make more sense to include both in the kernel. Wasn't that
the whole point of the LSM interface, to let competing approaches
bloom and compete on their merits?

I have to say that I'm not convinced the difference in policy
languages is a small issue. I find the SELinux policy language
and policy files more or less inscrutable. In comparison, from
the AppArmor FAQ, I can imagine that I might be able to understand
enough to hack AppArmor policies after 5 minutes of reading a
man page. Whether I'm likely to know what the policy ought to be
is indeed a tough question, but I can imagine that AppArmor might
be more usable than SELinux. Even if SELinux is more "complete"
than AppArmor, I might still prefer ease of use over completeness
and understandability.

And I have to say that the ability to form a mental model of how
the system works and understand more or less what it is doing may
be useful. I find debugging SELinux problems a bear: I often just
end up disabling entire SELinux policies, or turning off SELinux,
because I can't understand what it's doing. In comparison, it's
plausible that it might be easier for sysadmins to understand what
AppArmor is doing, since they don't have to understand labelling and
hard-to-read policy files. And the increase in understandability
might potentially outweigh the "completeness" issue, in some cases.
Ultimately, easier to use and easier to understand tools might
better solve security overall, because they are more likely to be
used and to be used correctly.

Bottom line: I think the comparison regarding ease of use is a
bit speculative at this point, but I think there is sufficient
reason for thinking that AppArmor might be a useful tool in some
deployment environments.

>I'd also argue that the typical interface presented to admins (which
>doesn't involve writing new policies) is easier for SELinux than with
>AppArmor. Most admins do fine with relabeling, changing booleans, and
>running audit2allow, which is all that is needed to solve the majority
>of SELinux issues.

Heh. I had to chuckle at that one: it is pretty far removed from
my own personal experience.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Mikko Tiihonen: "[PATCH v3] hpet: Detect hidden HPET on NVidia motherboards"
Previous message: Matt Mackall: "Re: [Announce] [patch] Modular Scheduler Core and Completely Fair Scheduler [CFS]"
In reply to: Karl MacMillan: "Re: AppArmor FAQ"
Next in thread: Alan Cox: "Re: AppArmor FAQ"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]