During the last days I had to install SUSE- and RedHat Linux on some machines and I had time to take a closer look at booth. The first thing on RedHat that caught my eye was SELinux as a cute way of limiting damage on a security breach. SUSE uses their own thing called AppArmor to make things more simple.
SELinux is a set of modular features to improve security on kernel level, which is nothing new to me. As I have already done some things with it, I was able to get my system up and running without much hassle.
AppArmor, the Novell idea of security was pretty new to me as I only knew it from its name rolling through the media as it was licensed under GPL. However, AppArmor requires some kernel patches, libraries, utilities and a parser. This is nothing special, as it should do stuff at kernel level. But what’s that? Some scripts come with a proprietary license boilerplate, but let’s assume that Novell simply overlooked them and so do I, trying to find out some answers to untold questions.
Compared to SELinux, AppArmor can control applications and programs but not the entire system. But what is the point of protecting only some programs? Are you able to choose how your systems will be attacked? Do you ask an attacker to limit his mess to the web server? So I am asking you about a scenario on which AppArmor is really able to protect your system – or is it more some apparent security for the administrator guy? Why inventing the wheel again, as it was done on unix systems some years ago?
I have decided to discuss those things later with my beer and went on digging deeper into AppArmor and discovered a new surprise: It supports POSIX capabilities, but these are for increasing the privileges of a process and not taking some away. And this won’t be of much use anyway, since many services have now developed there own schemes for privilege separation.
My conclusion is fairly simple: I will stick to SELinux, as it is able to control network access and syscall, as it would often be extremely desirable to prevent a process from accessing the network.