85

I was reviewing several different comparisons of AppArmor and SELinux which include:

From these articles I conclude that AppArmor is better than SELinux based on AppArmor is far less complex and far shorter learning curve. Thus the majority of comparisons are in favour of AppArmor but how can I say that AppArmor is more secure than SELinux?

Ali Ahmad
  • 4,784
  • 8
  • 35
  • 61

9 Answers9

57

These security systems provide tools to isolate applications from each other... and in turn isolate an attacker from the rest of the system when an application is compromised.

SELinux rule sets are incredibly complex but with this complexity you have more control over how processes are isolated. Generating these policies can be automated. A strike against this security system is that its very difficult to independently verify.

AppArmor (and SMACK) is very straight forward. The profiles can be hand written by humans, or generated using aa-logprof. AppArmor uses path based control, making the system more transparent so it can be independently verified.

Community
  • 1
rook
  • 46,916
  • 10
  • 92
  • 181
  • 15
    "very difficult" and "very easy" sounds very subjective an answer to me. Besides, I think anyone willing to choose between AA and SELinux should ask themselves if the tools they need have a policy written in either of them, as a starter. Which of the two support namespaces, cgroups, Docker containers? – Steve Dodier-Lazaro Jul 06 '14 at 17:49
  • 4
    @Steve DL SE Linux is so complex its impossible for even the developers to verify* – rook Jul 30 '14 at 14:48
  • 4
    I'm quite aware of the complexity of SELinux, did research on MAC tools based on it. The only comparative usability study on AA and SELinux is http://researchrepository.murdoch.edu.au/6177/1/empowering_end_users.pdf and it's not without drawbacks (not a population representative of sysadms or CISOs, and applying MAC to programs for which it was never intended). For the context being studied both AA and SELinux are insufficient, and that comes as no surprise. Your answer does not answer the question, and there is not enough fact-based evidence to answer it properly. – Steve Dodier-Lazaro Jul 30 '14 at 15:09
  • Automating config with SELinux is a bad idea. http://symcbean.blogspot.co.uk/2016/11/selinux-sucks.html – symcbean Dec 08 '16 at 17:33
  • 1
    It would be nice if you explained at least the basics between path and inode labeling, as that is important, given that AppArmor is the former and SELinux the latter. – forest Feb 20 '18 at 03:15
  • When reading that SELinux is "incredibly complex" and "very difficult to independently verify", it reminds me that SELinux has been created by the NSA so this complexity was maybe created on purpose to silently introduce backdoors like we saw with Snowden leaks. – baptx Dec 01 '18 at 18:01
  • docker runs with the `container_t` SELinux type in RHEL and derivatives. Here's an example of how that prevented a runc/docker vulnerability: https://rhelblog.redhat.com/2017/01/13/selinux-mitigates-container-vulnerability/ Is there a comparable AppArmor policyset that's required for packages to work out of the box? – Wes Turner Feb 21 '19 at 16:22
  • @baptx: Even the NSA gave up on SELinux - Prism was just one component of a custom operating system. But the policy (everyone here is confusing SELinux, the bit the NSA wrote, with the policy, I've only seen policies based on the one Redhat keep rewriting). – symcbean Jul 07 '20 at 19:17
34

the insanitybit link is to my website. I'd just like to justify my opinion on here :)

If you look at SELinux and Apparmor, they are both strong and weak in the same ways. SELinux is "stronger" in that it can get even more finely grained access to files, but what does that gain an attacker over being in an apparmor profile? You're already significantly restricted in an apparmor profile. So, do you truly gain much more with SELinux?

What you do gain with SELinux (especially for policy creation, much moreso than auditing - though audit-to-allow is painful too) is added complexity. A lot of it.

The path of least resistance in a Linux sandbox, such as SELinux or Apparmor, is the kernel. SELinux does nothing more than Apparmor to secure the kernel.

So if an attacker wants to go the stupid route of going for design issues in Apparmor/SELinux, SELinux is potentially more secure - but that assumes the profiles are built well, and, since SELinux is so complex, we've actually seen vulnerabilties introduced with it.

If an attacker is smart they'll go for the kernel, bypassing both.

So they are both weak in the same ways, both strong in every way that matters, and one of them is MUCH simpler.

Voila.

The butterknife metaphor doesn't work, that should be obvious.

Daniel Dinnyes
  • 103
  • 4
IBit
  • 477
  • 4
  • 4
  • 10
    Since you're pointing the kernel as the "weak point", maybe it's worth mentioning GrSecurity. – Xaqq Apr 01 '14 at 17:44
  • 4
    Yes, I've written quite a bit about Grsecurity on my website. No Linux system aiming for security is complete without it, and no one should rely on MAC without first addressing kernel weaknesses. – IBit Apr 03 '14 at 05:08
12

AppArmor is more secure through its simplicity which makes it easier to review and validate policies. Mistakes are less likely to make, easier to spot, and a backdoor attempt is harder to disguise.

evanxsummers
  • 121
  • 1
  • 4
8

SELinux is surely a more complete and ambitious security tool than AppArmor. SELinux is a wide universe, it permeates everything, it potentially labels every object in the system and conceptually elevates the system to a more sophisticated security infrastructure, it allows you to implement all main security paradigms in access control theory; even

military and government organizations can use it for their strict security needs. With SELinux it is possible to implement MAC (“Mandatory Access Control”), MLS (“Multi-Level Security”, with Bell-La Padula and Biba models), MCS (“Multi-Category Security”), RBAC (“Role Based Access Control”), TE (“Type Enforcement”). Besides, SELinux is based on the default deny principle.

AppArmor, on the other hand, simply lets you define what a single application can and cannot do, according to the principle of least privilege but without the implementation of complete security paradigms.

techraf
  • 9,141
  • 11
  • 44
  • 62
bryn1u
  • 81
  • 1
  • 1
6

The whole point of mandatory access control is to allow fine grained configuration. Simplicity is completely irrelevant unless the two are equal on all other counts. Sometimes complexity is what it takes to get the job done.

As it happens, SELinux has much better granularity, is more mature, more widely deployed and in my subjective opinion, better engineered. Your conclusion is more like pop culture than a real assessment.

(I conclude that a butter knife is better than a chainsaw, based on a butter knife is far less complex and less dangerous)

Craig
  • 85
  • 1
  • 2
  • 6
    A butter knife is better than a chainsaw... until you have to cut down a tree! – Michael Hampton Oct 18 '13 at 00:50
  • 1
    I strongly disagree with the assertion that SELinux is better engineered. It may be more difficult to break than AppArmor, however to implement and maintain an effective policy takes exponentially more effort than other approaches to the problem. Its **horrendous** complexity makes it impractical (arguably even dangerous) for most organizations to use as a security control on servers and workstations (the one place I am comfortable with its usage is on well supported appliances such as as Android - and of course there's never any malware on Android?) . – symcbean Oct 25 '16 at 16:08
5

In general, you cannot say that appArmor is better than SELinux. This is because a lot depends on what it is you are securing and what you are securing against and on the individual skills and preferences of the person/people responsible for maintaining the system.

SELinux has greater fine grained control. In some situations, this would make it more appropriate than AppArmor. On the other hand, AppArmor is likely to be sufficiently powerful for a majority of Linux users. Furthermore, many report that it is easier to understand and use, which means it is less likely that errors in configuration will cause dangerous holes that are difficult to find. On the other hand, making someone who is comfortable and familiar with SELinux use AppArmor could easly result in configuration errors simply because it is not the system they know.

The point is, you need to evaluate based on the specific situation and the skill sets/preferences of those involved. Both are good systems - it is choosing the right tool for the right situation that matters, not which is better than the other.

Tim X
  • 3,242
  • 13
  • 13
4

From my personal experience using SElinux I would say that it didn't add any amount of complexity to GNU+Linux, the only thing that it did and I consider it an advantage is to bring to us the complexity already inherent in the operating system, that it baffles many of us has nothing to do with its design paradigm or its implementation. In comparaison with AppArmor(AA), SElinux has a more hollistic and abstract point of view for what a secure system ought to be where AA has a container mindset in thinking about applications to the extent that in AA profiles paths for the allowed ressources are specified which is not very abstract. yes, it may be simpler to write a profile for each application but you loose the hollistic view of the system. Now practically SElinux works better with Fedora and RHEL as it comes preshipped while AA works better on Ubuntu and SUSE which means it would be better to learn how to use SElinux on the former distros than going through the hassel of making AA work on them and vice versa.

sami
  • 41
  • 2
1

There is no point in comparing SELinux to AppArmor if you can't make SELinux as usable for a typical user as AppArmor.

Making security easy/easier matters. Look at your typical social media app on a phone. It asks for a litany of permissions, or else it just isn't going to be able to do anything for you. What do most users do? They simply grant the app the permissions it asks for, without any real regard for what the app is going to use these permissions for, simply because they don't want to be inconvenienced with not being able to use the app. Users do not understand the implications of the security decisions they make until it's too late, and often times this is because it's difficult to conceptualize the threat/risk. It doesn't matter how superior your security mechanisms are if users are not using them.

The user is the weakest link in the chain, always has been. It doesn't matter if the NSA prefers SELinux because they wrote it. They were always going to use it. Vendors that want to sell Linux to the government were always going to use the more complex tool. The rest of computer users will only use a tool to add security if they can figure out how to do so in about five minutes, no more. That's how much almost all users care about security and is why after decades of evidence that virus scanners do not work, it's still a multi-billion dollar industry. It's why unless forced to make complex passwords and use 2FA, users will make their password, "password1".

schroeder
  • 123,438
  • 55
  • 284
  • 319
David Shepard
  • 11
  • 1
0

I boldly assert that AppArmor is superior to SELinux in any environment in which NFS is used, as SELinux can’t secure it. AppArmor is easier to use as well, but this is a clear objective differentiation between them.

Gaius
  • 810
  • 6
  • 7