AppArmor Patches Submitted to LKML

By
Dax
on April 19, 2006 6:28 PM | | Comments (0) | TrackBacks (1)

Today Novell/SUSE submitted the AppArmor patches to the Linux Kernel Mailing List (LKML). Following the discussion is likely to be interesting.

Red Hat has adopted the SELinux security framework (already accepted into the Linux kernel). The SELinux frameworks plugs into the kernel's LSM subsystem. Some people have complained of the complexity of SELinux. Because of the complexity and interference many people just turn off SELinux. The response from the SELinux folks is that Linux software has complex interactions and *any* solution to properly secure it will be, by definition, at least as complex. Furthermore, the SELinux developers say that they have worked hard on developing a clean foundation that is basically complete now and that all the easy to use front end management software can now appear.

Novell/SUSE has chosen an alternate, less complex security framework, AppArmor. The benefit is well, that is less complex and doesn't "interfere" as much as SELinux so it is less likely to get turned off. The complaint about AppArmor is that it doesn't provide full security and depends on file pathnames, and won't scale well because of required locking. If a file's name changes (hard link, mount, etc) the security goes out the window. Another issue brought up is that the use AppArmor precludes the use of filesystem namespaces support for which has been slowly added to the kernel. The use of namespaces is supposed to usher in a new era of flexible and wonderful abilities that could be very useful for desktop users and virtualization. Today however, nobody is making use of filesystem namespaces in any mainstream distribution.

Personally, as a system administration and user of Linux I encourage the distributions to "un-fork" as much as possible. Thanks to the Linux Standards Base (LSB) and other efforts managing Red Hat boxes and SUSE boxes is, for the most part, the same. So from this stand point I'm pretty disappointed to see this split. It becomes yet another thing I must wrap my brain around and keep up on. Also, from an efficiency and pace of innovation perspective I would have preferred all the resources and development pushing and pulling in the same direction.

At Guru Labs we already have extensive SELinux coverage in our GL550 Linux security training class. When we do the big rev for RHEL5 and SLES10 we will be adding extensive coverage of AppArmor as well.

Categories:

1 TrackBacks

Listed below are links to blogs that reference this entry: AppArmor Patches Submitted to LKML.

TrackBack URL for this entry: http://blogs.gurulabs.com/cgi-bin/mt-tb.cgi/31

Soma. from Soma drug test. on December 2, 2008 4:00 PM

Soma side effects. Soma without rx. Soma addiction and lying. Soma triathlon. Soma ironman. Soma drug history. Read More

Leave a comment

Search

About this Entry

This page contains a single entry by Dax published on April 19, 2006 6:28 PM.

GSSAPI/Kerberos Authentication and Jabber was the previous entry in this blog.

On installing/Upgrading RPM packages is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.