Problem solve Get help with specific problems with your technologies, process and projects.

Security face-off: Red Hat's SELinux vs. SUSE AppArmor, others

While Red Hat seems to have cornered the SELinux market, SUSE is hoping AppArmor will be an attractive alternative. Other distributions are offering their own SELinux deployments. Expert Ken Milberg evaluates several of them and discusses Novell's AppArmor.

Recently, we discussed Security Enhanced Linux (SELinux) on Red Hat's implementation of RHEL5. Clearly, Red Hat...

has made SELinux an important part of its distribution. But what about other distributions, what are their implementations like? We'll take a look at how SELinux runs on other distributions and what kind of support and documentation is available in deployment. SUSE and AppArmor SELinux was once partly integrated in SUSE Linux 9.x and SLES 9. Today, you are on your own if you decide to go with SELinux and SUSE, as Novell no longer supports SELinux in their SUSE products. Novell determined that they would go another route in their competition with Red Hat, by making the AppArmor software, the flagship security product purchased from Linux security vendor Immunix. While there are places to download packages written for SLES9 that supposedly work on SLES10, SELinux is not a supported product. In fact, even the folks that maintain these packages recommend you consider switching to a supported distribution, such as Fedora, Gentoo or Debian.

So why has Novell bet the farm on AppArmor and how does it compare to SELinux? AppArmor has many features found in SELinux, but boasts a simplicity that serves as its main selling point. Unlike SELinux, Novell's distribution lets you create profiles with a few clicks. You can even call up AppArmor from the YaST Control Center, and start creating security profiles, right from wizards.

Figure 1- AppArmor on SUSE

AppArmor supplements the discretionary access control mechanism of Linux with mandatory access control (MAC), allowing each program to run with a strict set of permissions specified by the system. MAC assigns a profile (security policy) to each application, which defines the system resources and privileges that the applications can access. Novell has been working really hard to try to make this included in the mainline Linux kernel, which would increase competition with SELinux. AppArmor plugs into the kernel through an LSM (Linux Security Modules) interface. While Novell is pitching this, SELinux will already satisfy the most stringent of security standards but lacks the usability of AppArmor. Customers with more stringent security requirements, such as government and financial institutions, will probably choose SELinux over AppArmor anyhow because of its certifications.

An interesting sidebar to all of this is that several weeks ago, to the consternation of many, Novell actually laid off programmers who had been the brains behind this project. Novell now wants the community to pick up the maintenance and development of AppArmor, similar to how it does for SELinux and other open source products. As a result of the lay-off, the founders themselves started a company, aptly named handbook on SELinux, with sections on preparation, installation, configuration and operation. For example, it gives a thorough assessment of the preparation required for an SELinux deployment. The prep-work includes:

  • Switching profiles – based on what type of architecture you have, in which case the follwing would be helpful: # ln -sf /usr/portage/profiles/selinux/2007.0/x86 /etc/make.profile
  • Updating kernel headers – If the Linux-headers version is older than 2.4.20, newer headers must be merged.
  • Updating glibc – You need to recompile rlibc if you have merged headers or are not certain if the glibc was compiled with newer headers. If this is not done, then some operations will malfunction.  # emerge glibc

Debian – The Debian Linux kernels have had SELinux support since version 2.6.9. In order to activate SELinux, the parameter selinux=1 needs to be passed to the kernel when booting. Installing Debian requires that package-specific fixes are installed as necessary. These include pam, initscripts, mail servers, static ttys, udev, cron, locate and updatedb backups and Xen instances. Like Gentoo, you must also use filesystems that support SELinux including ext2, ext3, jfs and xfs. Note that there is only partial support for ReiserFS. A program called check-selinux-installation is also there, to help you confirm that everything has been setup correctly.

EnGarde – Probably the most secure version of Linux is the EnGarde Linux distribution by Guardian Digital Inc. Not only does it contain SELinux access and support, but also includes integrated intrusion detection, anti-virus and network management, all managed through a browser based tool, the aptly named WebTool. If security is your main concern, I highly recommend this version of Linux.

Fedora – The release of Fedora Core 5 added several new features to SELinux, one of which is Multi-Category Security (MCS). The purpose of MCS is to protect data confidentiality, although it is not specifically designed to prevent system cracking. SELinux functionality that you may be familiar with from previous releases (the domain-type model) is still used for protecting system integrity. MCS is an extra feature, which helps prevent accidental or deliberate leaks of secret data.

Ubuntu – The goal of the SELinux for Ubuntu project is to make SELinux an install-time and/or run-time configuration option, but it is not intended to replace AppArmor. Actually, there is very little documentation on how to get SELinux working on Ubuntu, but I did find a helpful guide. Unfortunately, Ubuntu does not seem to be interested in SELinux, which in a way speaks volumes to the usability of SELinux, as Ubuntu is known as perhaps the most user-friendly Linux distribution out there.

If you are planning on deploying SELinux in your corporate environment, Red Hat may be your only viable option. While other distributions provide support and documentation, they may not support the new features of SELinux including Multi-Category Security and they may not have the capabilities necessary to support this product at an enterprise level. On the other hand, in addition to Red Hat, Fedora cores 5 and 6, Hardened Gentoo and Debian, are not only supported but have all of the recent technology enhancements (references polices, loadable modules and policy management infrastructure) integrated into their distributions. It is important to note that when installing SELinux on a Linux distribution which lacks official SELinux support (such as SUSE) you must compile the software and have other necessary system packages installed. SELinux itself consists of an SELinux-enabled kernel, which is a core set of libraries and utilities, some modified packages, and a policy configuration.

About the author: Ken Milberg is a systems consultant with two decades of experience working with Unix and Linux systems. He is a Ask the Experts advisor and columnist.

Dig Deeper on Linux servers