A recent post from Russ Coker entitled AppArmor is Dead was tolling the death bells for AppArmor because SUSE decided to include SELinux in their operating system… not as the default, and not as a replacement for AppArmor, but it was included nonetheless. Russ determined that this was the beginning of the end for AppArmor, and I read it with some interest largely because Mandriva has settled on AppArmor as our security solution… largely because it fits with our ideal of making things nice and easy for our users. So of course, a post that seems to bring doom and gloom about our security solution is something we’re interested in reading about because if it’s true, then we’ve invested time and effort into the wrong solution.
I read it and thought it had some interesting points, but I didn’t think they were overly valid and it didn’t concern me too much. Yeah, it all seems indicative of the demise of AppArmor (the entire AppArmor team being laid off, the inclusion of SELinux in future products, etc), but there is no real indication that AppArmor is being discontinued or killed off as a result.
Anyways, Crispin wrote a blog entry responding to it yesterday, entitled Go Ahead, Make My Day. Essentially he indicates that there is a bit of paranoia associated with Russ’ post in the conclusion he draws about AppArmor’s demise. Of course, Crispin works for Microsoft now and he makes a valid point. If AppArmor is dying, and since Crispin is working for Microsoft to improve the security mechanisms in Windows’ products, then his job is made easier (thus the title). If Windows security has to compete with the complexity of SELinux, then he indicates his job is all that much easier because all he has to do is make Windows security “easier and more effective to deploy than SELinux”.
Unfortunately, he makes a good point. If SELinux is the “standard”, then security mechanisms that are both easier to use and easier to deploy will become more popular and will just add fuel to the “Linux is harder than Windows” argument. I disagree with that argument… personally, I find Linux easier and Windows more frustrating. But if Windows comes out with something as effective and easy to use as AppArmor, and AppArmor is dead and we’re all using SELinux, when people wake up and realize that good security doesn’t necessarily mean all the complexities of SELinux and similar systems are a necessity, then the argument would be true: Linux would indeed be harder to use than Windows simply due to the (what I believe will soon become a necessity for anyone using a computer) inherent security designs in a user’s chosen operating system.
In other words, while Russ may be right (after all, I don’t work for Novell so I can’t lay something like this to rest, I can only speculate, as can Russ and also Crispin), I sincerely hope he’s wrong. SELinux may be a fantastic system for those who use it, but for those of us who don’t require military-grade security, AppArmor does a very nice job thank-you-very-much of keeping our systems safe.