Novell's AppArmor challenges SELinux
- By Joab Jackson
- Feb 24, 2006
Novell Inc. of Provo, Utah, has released the source code for its recently acquired open-source Linux security application, AppArmor, and has also set up a project site
in hopes of attracting outside developers to further refine the program.
The release of the software has sparked debate in the open-source community, however.
Novell stressed that AppArmor is easier to use than another open-source program called SELinux. First developed by the National Security Agency, SELinux tackles the same job of mandatory access control (MAC) with an unrelenting thoroughness, though it has a reputation for being difficult to manage. "There needs to be a better way to deploy [MAC] so that the average systems administrator doesn't need to go through three weeks of training," said Frank Rego, products manager for Novell.
Some observers fear that the AppArmor project will fracture the open-source development community around the demanding science of MAC.
"In my opinion, Novell wants to split the market," said Dan Walsh, the principal software engineer of Red Hat Inc. of Raleigh, N.C. Both Red Hat and Novell offer enterprise class Linux distributions. "Rather than working with the open-source community [on SELinux], Novell has thrown out its own competing version."
Novell acquired AppArmor last May when it purchased Immunix Inc., which developed the software. Novell has made the application, along with its source code, freely available on the site under the GNU Public License.
The chief component of AppArmor is a module that must be added into the Linux kernel. Those who don't want to recompile the kernel can install SUSE Linux 10 desktop Linux distribution, as well as SUSE Linux Enterprise Server 9 Service Pack 3, both of which have AppArmor preinstalled. (An AppArmor module for Slackware Linux is also in the works).
MAC software tackles the growing problem of applications executing malicious tasks on their host systems. Many of today's security problems come from application vulnerabilities that are exploited
by malicious hackers or rogue programs.
MAC software keeps profiles of routine actions that each application on a computer usually takes during normal operations. When a program starts behaving in an unusual fashion, the MAC software can call on the operating system to halt that errant operation.
Although both AppArmor and SELinux use the Linux Security Module Interface?a new Linux feature allowing kernel level mediation of security issues?the programs differ in scope.
"The biggest difference between AppArmor and SELinux is in the ease of deployment," Rego said. NSA designed SELinux to address highly classified documents for sensitive environments, according to Rego. And while it executes this job well, it may be too powerful for most everyday deployments. In fact, SELinux's complexity may have been an obstacle to wider deployment, Rego speculated. Administrators may turn off security privileges in effort to facilitate smooth operations.
AppArmor has a graphical user interface that should ease deployment, Novell hopes. The package includes profiles for widely used programs and utilities, such as Apache, Sendmail, Bind and others. In addition to these programs, the administrator can also build profiles for in-house or other programs using AppArmor's characterization and behavior-learning tools.
Not everyone welcomes with the release of AppArmor.
"Is this the beginning of the Unix wars all over again?" Walsh asked on a Live Journal blog
he opened to express his views on the subject.
In the early 1990s and late 1980s, different Unix vendors developed tools and applications that would only work with their own versions of Unix, later forcing them to expend considerable effort on cross-platform versions of these programs. As a result, Microsoft Corp. was able to gain significant market share by offering a single platform, with Windows NT, that could work across a wide variety of hardware.
By introducing a second MAC application into the open-source landscape, Novell is splintering the development community, Walsh charged. Only a limited number of developers have the expertise to work on such an application, and the effort Novell itself will put into AppArmor could have been applied to improving the user interface of SELinux.
"In the open-source world, we should be working together on a single product for people to use mandatory access control," Walsh said. Red Hat deploys SELinux for its own distribution, as do several other Linux distributions.
On the blog, Walsh also cast aspersions on the viability of AppArmor itself, pointing out that the program is easier to use because it doesn't control as many low-level aspects of system operation as SELinux does?aspects that are necessary to consider when setting up a secure environment.
"SELinux can be difficult to use because security is difficult to understand," Walsh said.
Joab Jackson is the senior technology editor for Government Computer News.