Why I Like AppArmor More Than SELinux

AppArmor and SELinux are two of the Linux Security Modules that can be used for fine grained mandatory access control. They both try to accomplish very similar goals but AppArmor is widely considered to be easier to use (and, really, it is) and SELinux is widely considered to be more fine grained.

Bypassing AppArmor

AppArmor is pathbased by nature, which means that it doesn’t know what “pidgin” is it knows what “/usr/bin/pidgin” is. Because of this all AppArmor profiles deny mount and namespace access because they can obviously lead to a bypass.

AppArmor doesn’t limit IPC in any way (DAC handles it) once granted so while “pidgin” may not be able to access a file it may be able to manipulate another process into doing so.

I don’t think there’s been a remote bypass of AppArmor in ages and because AppArmor can actually prevent exploits in the first place (with proper profiles) it’s really very strong.

Bypassing SELinux

SELinux allows for an even tighter sandbox than AppArmor without the restraints of mount/ namespaces because SELinux isn’t name based.

I don’t think there are any inherent weaknesses or limitations of SELinux worth mentioning and, as with AppArmor, there hasn’t been a remote bypass in a long time.

So SELinux is also very powerful.

So What’s The Real Difference?

Often times if one is bypassable the other is.¬†SELinux is truly the more secure option in terms of limiting a process but what comes with that is a very complex policy. An SELinux policy can be a dozen times longer than an apparmor policy and it’s definitely not as user friendly both in terms of readability and configuration. So while SELinux is ideally much more secure they both provide a really high level of security and AppArmor is way easier to apply.

In Other Words…

They’re both incredibly secure but AppArmor is far easier to audit because of the simplicity. I respect that a properly configured SELinux profile is potentially much stronger than a properly configured AppArmor profile but if I can’t audit the policy I can’t verify the policy and that’s important.

I would rather run my system with every damn thing locked under AppArmor because I’m able to write the profiles myself than run a system with a few programs under SELinux written by someone else that I can’t properly audit because the policy is just convoluted.

This isn’t “AppArmor is better than SELinux” at all. I’m not saying that SELinux is weaker or worse. I’m saying that for me, personally, I’ll take AppArmor because having an easy to use security tool feels more secure to me than having a hard to use one. And I like RBAC too but it’s outside of the scope here – I will say that RBAC is really easy to audit and set up.

Sources:

http://www.nsa.gov/research/selinux/index.shtml

9 thoughts on “Why I Like AppArmor More Than SELinux

    • Naturally. The entire LSM opens you up to attack. I’m sure there are vulnerabilities in apparmor just as there are in any piece of software of reasonable complexity.

      Thanks for the link.

    • I know this is a bit late, but the only listed distro affected is Debian. Fedora already has SELinux and I know there were several issues when they were first implementing it into the system. Hopefully the Debian team will get all the kinks out soon.

      I agree though that SELinux is a pain to set up and has a sharp learning curve to get it how you want it.

      • Finer grained control will always mean a more complex system but fine grained control is also the raison d’√™tre of mandatory access control.

        Think about it, the very point of the system is denying certain abilities. The finer the control, the tighter the security. So SELinux is entirely justified in it’s complexity and is the superior system and the usual wisdom that simplicity is better doesn’t really apply.

        Not to mention that it’s considerably more mature and much more widely deployed/tested.

  1. Pingback: Comparsion Between AppArmor and Selinux | Question and Answer

  2. In other words, you prefer simplicity over security.

    It’s myopic to suggest that something is “good enough” when there are better solutions available — especially in the realm of security.

    The *entire point* of MAC is fine grained control. Finer control means better security and better security is *always* better. Just because it’s hard to demonstrate an exploit in either doesn’t mean that the inferior solution is “good enough” or that the superior is “too good”. That’s incredibly backwards thinking for someone dealing with security.

    • Hi Craig,

      I agree that fine grained control is better than coarse grained. And if that were all we were discussing, I’d say SELinux is hands down better than Apparmor. There’s no question that it allows for more control.

      But that control comes at a price – profiles are much longer, and much more difficult to create (though they’ve made auditing simpler). This also makes them harder to audit, which has an impact on security.

      So the price is not just on usability, it’s actually hurting security to have such a difficult to understand profile.

      Both SELinux and Apparmor are weak to the same issues – kernel exploitation. So whether you’re running an incredibly tight SELinux sandbox or a fairly tight Apparmor sandbox an attack on the kernel will bypass both. So an attacker isn’t going to say “oh shit, they’re in SELinux, I only have an attack that bypasses Apparmor” – they’ll either have an attack that bypasses both or bypasses neither, and rarely something else.

      So at that point doesn’t it make sense to go with the profile that’s easier to audit for major issues? The profile that’s easier to build and maintain? It’s not about “good enough” it’s about weighing costs and benefits/ risk and reward, and that is definitely critical for anyone dealing with security.

Leave a Reply

Your email address will not be published. Required fields are marked *