Re: AppArmor or SELinux?

To: debian-user@lists.debian.org
Subject: Re: AppArmor or SELinux?
From: Camaleón <noelamac@gmail.com>
Date: Sun, 17 Jun 2012 18:05:12 +0000 (UTC)
Message-id: <[🔎] jrl68o$f0n$18@dough.gmane.org>
References: <[🔎] 20120617131403.3ff1fdff@ares.home.chubig.net> <[🔎] jrku56$f0n$16@dough.gmane.org> <[🔎] 20120617184122.45d76848@ares.home.chubig.net>

On Sun, 17 Jun 2012 18:41:22 +0200, Claudius Hubig wrote:

> Camaleón <noelamac@gmail.com> wrote:
>> On Sun, 17 Jun 2012 13:14:03 +0200, Claudius Hubig wrote: And I share
>> the same feeling for SELinux, I mean, a tool that can be very helpful
>> when it is properly configured and you know well about its
>> possibilities but its setting up is not what we would consider a child
>> game.
> 
> Administrating a computer is not a child game, and, yes, it took me some
> time to tweak my custom AppArmor profiles to do what I want.

You say "administrating", users say "playing" :-)

If I put the admin hat on, I can understand what you mean, what I wanted 
to say is that plain users do not usually care for that things.

>> Debian used to include some support for SELinux but I dunno about the
>> status for AppArmor. There's more information here:
>> 
>> http://wiki.apparmor.net/index.php/Distro_debian
> 
> Unfortunately, that information is rather out of date, as you can see
> from the Kernel version numbers, for example. 

"Out of date"... don't say that word to a person who is using kernel 
2.6.26 :-P. Now seriously, the wiki talks about kernel 3.1, and that's 
not that old.

> That said, AppArmor currently runs fine on Linux 3.2 - and I just found
> what appears to be kernel 3.4 patches[1]. Nevertheless, my concerns
> still stand, as the development model of AppArmor still appears rather
> chaotic, with some outdated wiki pages etc.

AppArmor was included in the mainline kernel tree time ago and I have not 
read about it was removed or something like that, so it has to be still 
supported for the newer versions :-?

>> > My question is: Would it make sense to deploy SELinux on my system to
>> > achieve the tasks mentioned above?
>> 
>> Mmm... I'd say no.
> 
> Thanks. Please allow me to rephrase the question: Given the temporary
> unavailability of kernel patches for AppArmor for kernel 3.4, the fact
> that it appears not to be fully merged into the main kernel, the rather
> chaotic wiki page which lets one hunt for the required patches and the
> lack of official support by major distributions other than Ubuntu, would
> it make sense to switch from a running AppArmor system to a SELinux
> system?

I'd say "no" again :-)

As I already mentioned, both approaches look too complex to my taste.

Anyway, if what you are telling me is that should you have to go with 
AppArmor or SELinux (yes or yes), of course I'd choose SELinux in Debian. 
But if there's not a hard requirement and the system is going to be used 
for general purpose, I'd install/configure none of them.

>> I find it a valid concern but for a mere user point of view, I would
>> prefer having to deal with not that complex utilities to harden the
>> system applications, for example, something like the sandbox or virtual
>> machine concept, i.e., easy to deploy (some brosers already include a
>> sandbox from where they run the dangerous plugins), easy to understand
>> (a separate zone that cannot interefere with the host system) and easy
>> to use ("run & go", or "install, run & go") :-)
> 
> Security can never be reached by a run & go concept, simply because
> individual requirements differ far too much to cater for all different
> needs with default configurations. 

Well, if the provided solution is well implemented, why not? That's what 
most of us have been doing all this time before VM were widely deployed; 
isolated machines for different purposes with no network connection to 
avoid 95% of the security flaws.

> And while sandboxing is a sensible approach _within_ the browser, it
> only handles plugins in an assumed-as-safe application, not the
> application itself. 

Yes, it was just a sample concept, nothing you can use for your problem.

> The kernel should do that, and that’s what SELinux, AppArmor etc. are
> for, in my opinion: separate processes, users and files as much as
> possible.

Yes, but again, the price to pay to have those apps properly configured 
so they can be of really uselfulness is too high, IMO.

> Complete virtual machines for each of the applications (Opera, 
> Iceweasel, Pidgin, Skype) would 
> a) probably break my machine’s RAM requirements 
> b) be rather unusable 
> c) make it much more difficult to, for example, download a file with
> Iceweasel and then send it to someone using Pidgin.

Yes, I know. But again, I was pointing to the browser sandbox and VM as 
another way to handle some aspects of your security concerns but to all, 
I mean, a VM will not prevent your browser passwords or cookies can be 
stolen but can indeed avoid your host files to be accessed.

Greetings,

-- 
Camaleón

Reply to:

References:
- AppArmor or SELinux?
  - From: Claudius Hubig <debian_1206@chubig.net>
- Re: AppArmor or SELinux?
  - From: Camaleón <noelamac@gmail.com>
- Re: AppArmor or SELinux?
  - From: Claudius Hubig <debian_1206@chubig.net>

Prev by Date: re: any ideas?
Next by Date: Re: AppArmor or SELinux?
Previous by thread: Re: AppArmor or SELinux?
Next by thread: Re: AppArmor or SELinux?
Index(es):
- Date
- Thread