I just read an amusing article on Government Computer News entitled Security wars: Novell SELinux killer rattles Red Hat. I find it amusing because now that Novell owns AppArmor, and has made it public (GPL), it’s starting to rattle some SELinux-based cages (for those not in the know, Novell aquired AppArmor when it bought Immunix who originally developed it). For that reason alone I like the idea of AppArmor… I have very high respect for the Immunix guys and the work they’ve done.
What I find amusing is Red Hat’s response to the release and GPL of AppArmor; from the article:
“In my opinion, Novell wants to split the market,” said Dan Walsh, the principal software engineer of Red Hat Inc. of Raleigh, N.C. Both Red Hat and Novell offer enterprise class Linux distributions. “Rather than working with the open-source community [on SELinux], Novell has thrown out its own competing version.”
Huh? Are you trying to tell me that SELinux was the only MAC software for Linux? Maybe you’re trying to tell me it’s the best. In my opinion, neither is true.To understand my point of view, you need to understand that I don’t like LSM (the Linux Security Modules) which is what stuff like AppArmor and SELinux take advantage of (and for this reason, I’m not too hugely keen on AppArmor either). To explain why, just read this from the RSBAC site on Why RSBAC does not use LSM. I’m inclined to agree with a lot of their points. From the day LSM was born I was leary of the idea.
At any rate, what Red Hat (and journalists, apparently) seem to miss is that there are a lot more MAC-ish software out there, including RSBAC, GRsecurity, LIDS, and others (I think LIDS is still around… the last time I played with it was around the Mandrake 8.1 days and I loved running it, but it was too much for me to maintain).
What they also don’t get is that while SELinux is difficult to configure, it’s also way too intrusive. The kernel stuff might be fairly simplistic due to LSM, but it has to go out and touch user-land apps too. MAC protection is great, but when I have to have specific patches in PAM, util-linux, etc. in order to make it work in the first place, all of a sudden I’ve lost my interest. I shouldn’t have to patch userland tools to run this stuff. With RSBAC, you don’t have to. I’m pretty sure with AppArmor you don’t either. That’s another reason I dislike SELinux.
SELinux isn’t the be-all and end-all and while it might be great for military setups, the end-user shouldn’t have to deal with the headache. I’ve read some of the implementation notes of AppArmor and find it much more suitable for the average joe than SELinux and, frankly, I’m glad Novell is going that route. Maybe it’ll make the SELinux guys look at making it a little easier to use.
Of course, you have other idiots that completely don’t understand things. Dan Walsh seems to think that Linux is going to fragment over this and we’ll have another UNIX wars over this. Folks, SELinux wasn’t the first MAC implementation, and it’s probably not the best either. Remember, choice is good and alternatives rock. Did you dis Firefox when it came out, thinking it was the browser wars all over again? And if it was, so what? Maybe all the attention Firefox is getting will make IE7 better (I doubt it, but hey, you never know). If the Mozilla folks decided that they didn’t want to step on any toes, Firefox would have gone nowhere. We wouldn’t have Seamonkey now. Maybe we shouldn’t have supported the creation of the Evolution email client because it might have competed unfairly with Mozilla Mail? Maybe the guys who developed Ruby should have sat back and decided to work on Python, PHP, or Perl in order to not fragment the scripting/development communities?
Come on.
Innovation is good. New, competing software is good. It weeds out the crap. Maybe Novell disagreed with how SELinux worked and saw changing it to suit their vision as too much work or too much of an uphill battle, fighting with SELinux authors and maintainers. Maybe they’ll looked at Immunix’s stuff and went “hey, that’s what we like”. Remember, AppArmor wasn’t recently developed; it came along with the Immunix staff and their other technology. So this isn’t a “new” thing. They’ve just made it more publically available, they’ve given us choice. It’s not proprietary, it’s not a lock-in (anyone who can recompile a kernel can use it).
Oh, the other thing I find amusing is that Dan Walsh, who is bemoaning AppArmor and berating Novell for not contributing money and effort to SELinux is working on it himself: “Three years ago, I was asked to work on the SELinux Team at Red Hat to bring Mandatory Access Control to a mainstream operating system (OS).” This isn’t a neutral third-party. Think about that. Of course Red Hat is going to complain about AppArmor; they have a financial stake in SELinux after all.
Anyways, I’d rather avoid both altogether, just because I don’t like LSM. Give me RSBAC any day. It’s just as hard as SELinux, has all the stuff in it you want, been around forever, and doesn’t use LSM. The SELinux junkies should love it.
The same arguments folks make about AppArmor over SELinux could easily be made about SELinux over RSBAC. End goals and implementation designs are the mitigating factors here and apparently Novell prefers the simplicty of AppArmor over SELinux. For a guy who’s briefly played with SELinux, I don’t blame them at all.
In fact, because Mandriva is using the 2.6 kernel, we may want to look at AppArmor as opposed to RSBAC. For Annvix, I’m sticking with RSBAC because I can use it on both 2.4 and 2.6 kernels (which is important since Annvix still uses a 2.4 kernel). Since Mandriva 2006, we’ve not had a 2.4 kernel even as a supported alternative, so we can pretty much use whatever we like (although, from a selfish standpoint, I’d rather Mandriva uses RSBAC too).