Information Security News mailing list archives

Re: Security wars: Novell SELinux killer rattles Red Hat

From: InfoSec News <isn () c4i org>
Date: Tue, 28 Feb 2006 02:03:42 -0600 (CST)

Forwarded from: Kurt Seifried <listuser () seifried org>

This article is somewhat... retarded.

AppArmour (formerly called SubDomain) is easier to configure and
manage in some respects, the rulesets are easier to read.

"By introducing a second MAC application into the open-source
landscape, Novell is splintering the development community, Walsh
charged. Only a limited number of developers have the expertise to
work on such an application, and the effort Novell itself will put
into AppArmor could have been applied to improving the user interface
of SELinux."

However like AppArmour there are front ends for SELinux, such as
Tresys' "Setools". Additionally you can manage the rules manually
(it's just text files, granted a bit on the huge and complicated side
but nothing impossible). The Tresys tool for example includes the
capability to let you run SELinux in permissive warning mode (so it'll
allow but log violations), you can then parse the audit file to build
a profile. You can also do this manually using grep and other common
command line tools to build a ruleset.

To compare SELinux/AppArmour to the UNIX wars is.. odd. You can run
either one, and you can convert policies back and forth (guess what,
they basically specify the same bits of information in the end). It
wouldn't be impossible (in fact it would be relatively easy) for an
application vendor to ship both an AppArmour and SELinux profile with
their software, minimizing any problems for end users.

As for Red Hat complaining about Novell trying to split the market,
that's one of the sillier things I've ever read. Isn't one of the
benefits of OpenSource that we have access to the code and minimal
vendor lock in, i.e.  a choice of the best solution for me? It's
somewhat disturbing to me to see such comments coming out of Red Hat.

Personally I would love it if Red Hat shipped both SELinux and
AppArmour, I have had to disable SELinux on several machines
specifically because Red Hat's policies for the Apache HTTP web server
are too restrictive, and manually fixing the SELinux policies is more
trouble right now then it's worth (it's on my todo list... someday).
AppArmour would allow me to quickly allow the extra things required by
the application.

-Kurt



_________________________________
InfoSec News v2.0 - Coming Soon! 
http://www.infosecnews.org

Current thread:

Security wars: Novell SELinux killer rattles Red Hat InfoSec News (Feb 26)
- <Possible follow-ups>
- Re: Security wars: Novell SELinux killer rattles Red Hat InfoSec News (Feb 28)