[ISN] Security wars: Novell SELinux killer rattles Red Hat

InfoSec News isn at c4i.org
Mon Feb 27 02:08:07 EST 2006


By Joab Jackson 
GCN Staff

Novell Inc. of Provo, Utah, has released the source code for its
recently acquired open-source Linux security application, AppArmor,
and has also set up a project site in hopes of attracting outside
developers to further refine the program.

The release of the software has sparked debate in the open-source
community, however.

Novell stressed that AppArmor is easier to use than another
open-source program called SELinux. First developed by the National
Security Agency, SELinux tackles the same job of mandatory access
control (MAC) with an unrelenting thoroughness, though it has a
reputation for being difficult to manage. "There needs to be a better
way to deploy [MAC] so that the average systems administrator doesn.t
need to go through three weeks of training," said Frank Rego, products
manager for Novell.

Some observers fear that the AppArmor project will fracture the
open-source development community around the demanding science of MAC.

"In my opinion, Novell wants to split the market," said Dan Walsh, the
principal software engineer of Red Hat Inc. of Raleigh, N.C. Both Red
Hat and Novell offer enterprise class Linux distributions. "Rather
than working with the open-source community [on SELinux], Novell has
thrown out its own competing version."

Novell acquired AppArmor last May when it purchased Immunix Inc.,
which developed the software. Novell has made the application, along
with its source code, freely available on the site under the GNU
Public License. The chief component of AppArmor is a module that must
be added into the Linux kernel. Those who don't want to recompile the
kernel can install SUSE Linux 10 desktop Linux distribution, as well
as SUSE Linux Enterprise Server 9 Service Pack 3, both of which have
AppArmor preinstalled. (An AppArmor module for Slackware Linux is also
in the works).

MAC software tackles the growing problem of applications executing
malicious tasks on their host systems. Many of today.s security
problems come from application vulnerabilities that are exploited by
malicious hackers or rogue programs.

MAC software keeps profiles of routine actions that each application
on a computer usually takes during normal operations. When a program
starts behaving in an unusual fashion, the MAC software can call on
the operating system to halt that errant operation.

Although both AppArmor and SELinux use the Linux Security Module
Interface - a new Linux feature allowing kernel level mediation of
security issues - the programs differ in scope.

"The biggest difference between AppArmor and SELinux is in the ease of
deployment," Rego said. NSA designed SELinux to address highly
classified documents for sensitive environments, according to Rego.  
And while it executes this job well, it may be too powerful for most
everyday deployments. In fact, SELinux's complexity may have been an
obstacle to wider deployment, Rego speculated. Administrators may turn
off security privileges in effort to facilitate smooth operations.

AppArmor has a graphical user interface that should ease deployment,
Novell hopes. The package includes profiles for widely used programs
and utilities, such as Apache, Sendmail, Bind and others. In addition
to these programs, the administrator can also build profiles for
in-house or other programs using AppArmor's characterization and
behavior-learning tools.

Not everyone welcomes with the release of AppArmor.

"Is this the beginning of the Unix wars all over again?" Walsh asked
on a Live Journal blog he opened to express his views on the subject.

In the early 1990s and late 1980s, different Unix vendors developed
tools and applications that would only work with their own versions of
Unix, later forcing them to expend considerable effort on
cross-platform versions of these programs. As a result, Microsoft
Corp. was able to gain significant market share by offering a single
platform, with Windows NT, that could work across a wide variety of

By introducing a second MAC application into the open-source
landscape, Novell is splintering the development community, Walsh
charged. Only a limited number of developers have the expertise to
work on such an application, and the effort Novell itself will put
into AppArmor could have been applied to improving the user interface
of SELinux.

"In the open-source world, we should be working together on a single
product for people to use mandatory access control," Walsh said. Red
Hat deploys SELinux for its own distribution, as do several other
Linux distributions.

On the blog, Walsh also cast aspersions on the viability of AppArmor
itself, pointing out that the program is easier to use because it
doesn't control as many low-level aspects of system operation as
SELinux does - aspects that are necessary to consider when setting up
a secure environment.

"SELinux can be difficult to use because security is difficult to
understand," Walsh said.

More information about the ISN mailing list