[ISN] Security wars: Novell SELinux killer rattles Red Hat

InfoSec News isn at c4i.org
Tue Feb 28 03:03:42 EST 2006

Forwarded from: Kurt Seifried <listuser at seifried.org>

This article is somewhat... retarded.

AppArmour (formerly called SubDomain) is easier to configure and
manage in some respects, the rulesets are easier to read.

"By introducing a second MAC application into the open-source
landscape, Novell is splintering the development community, Walsh
charged. Only a limited number of developers have the expertise to
work on such an application, and the effort Novell itself will put
into AppArmor could have been applied to improving the user interface
of SELinux."

However like AppArmour there are front ends for SELinux, such as
Tresys' "Setools". Additionally you can manage the rules manually
(it's just text files, granted a bit on the huge and complicated side
but nothing impossible). The Tresys tool for example includes the
capability to let you run SELinux in permissive warning mode (so it'll
allow but log violations), you can then parse the audit file to build
a profile. You can also do this manually using grep and other common
command line tools to build a ruleset.

To compare SELinux/AppArmour to the UNIX wars is.. odd. You can run
either one, and you can convert policies back and forth (guess what,
they basically specify the same bits of information in the end). It
wouldn't be impossible (in fact it would be relatively easy) for an
application vendor to ship both an AppArmour and SELinux profile with
their software, minimizing any problems for end users.

As for Red Hat complaining about Novell trying to split the market,
that's one of the sillier things I've ever read. Isn't one of the
benefits of OpenSource that we have access to the code and minimal
vendor lock in, i.e.  a choice of the best solution for me? It's
somewhat disturbing to me to see such comments coming out of Red Hat.

Personally I would love it if Red Hat shipped both SELinux and
AppArmour, I have had to disable SELinux on several machines
specifically because Red Hat's policies for the Apache HTTP web server
are too restrictive, and manually fixing the SELinux policies is more
trouble right now then it's worth (it's on my todo list... someday).
AppArmour would allow me to quickly allow the extra things required by
the application.


More information about the ISN mailing list