Comments on: On AppArmor http://securityblog.org/brindle/2006/08/20/on-apparmor/ The ramblings of security neophyte Joshua Brindle Sat, 17 May 2008 04:10:20 +0000 http://wordpress.org/?v=2.5 By: dennyhalim http://securityblog.org/brindle/2006/08/20/on-apparmor/#comment-29141 dennyhalim Tue, 22 Apr 2008 06:24:25 +0000 http://securityblog.org/brindle/2006/08/20/on-apparmor/#comment-29141 just wondering why.... almost all 'perfect server setup guide' on howtoforge tell us to disable selinux? just wondering why….
almost all ‘perfect server setup guide’ on howtoforge tell us to disable selinux?

]]> By: judas_iscariote http://securityblog.org/brindle/2006/08/20/on-apparmor/#comment-144 judas_iscariote Thu, 12 Oct 2006 22:39:35 +0000 http://securityblog.org/brindle/2006/08/20/on-apparmor/#comment-144 Selinux may be better, but Im yet to find a normal sysadmin ( aka. a non extremely geek/wizard7security expert) that understand it's really obscure syntax. it is definately hard to use and completely unfriendly. Selinux may be better, but Im yet to find a normal sysadmin ( aka. a non extremely geek/wizard7security expert) that understand it’s really obscure syntax. it is definately hard to use and completely unfriendly.

]]> By: Kim Nilsson http://securityblog.org/brindle/2006/08/20/on-apparmor/#comment-61 Kim Nilsson Tue, 22 Aug 2006 16:50:13 +0000 http://securityblog.org/brindle/2006/08/20/on-apparmor/#comment-61 Logically true. Thank you for your input. Logically true.

Thank you for your input.

]]> By: Joshua Brindle http://securityblog.org/brindle/2006/08/20/on-apparmor/#comment-60 Joshua Brindle Tue, 22 Aug 2006 12:08:42 +0000 http://securityblog.org/brindle/2006/08/20/on-apparmor/#comment-60 I'll just respond to the last point, I am in the "a false sense of security is worse than no security at all" camp so I will say that yes, it can be worse to run AppArmor than not to do so. If you talk to most AppArmor developers directly they'll tell you their threat model (which is very limited) but if you listen to the PR at Novell or Crispins demo's at shows (he goes to alot, I'd be surprised if he gets any real work done) you'd think that AppArmor can solve all your problems. Bad Novell, Bad Bad Novell. I’ll just respond to the last point, I am in the “a false sense of security is worse than no security at all” camp so I will say that yes, it can be worse to run AppArmor than not to do so.

If you talk to most AppArmor developers directly they’ll tell you their threat model (which is very limited) but if you listen to the PR at Novell or Crispins demo’s at shows (he goes to alot, I’d be surprised if he gets any real work done) you’d think that AppArmor can solve all your problems.

Bad Novell, Bad Bad Novell.

]]> By: Kim Nilsson http://securityblog.org/brindle/2006/08/20/on-apparmor/#comment-59 Kim Nilsson Tue, 22 Aug 2006 04:10:02 +0000 http://securityblog.org/brindle/2006/08/20/on-apparmor/#comment-59 Yes, of course I read the article and I didn't mean to respond to any other articles. I read your comments on the various articles and just wanted your response, here, on the statement from the Novell guy about Thunderbird wanting/using the cap_setuid function. If it's a built-in function of Thunderbird, why would it be a bad idea to have AppArmor catch it, so it can be disabled? If you don't understand that you have to go through all rules and make sure they are set right, why would you even want to try a "secure" os? What I understood from the article is that AppArmor understands that Thunderbird can use this function (but probably doesn't, since app works even if it's disabled - which you say it is in SELinux) and therefore lists it when investigating the app. It isn't enabling a non-secure function to make Thunderbird less secure than without the AppArmor. Basically, my response to this bickering back and forth between you and them is that users shouldn't use any program if they don't really know how it works. Especially anything security related. Also, do you really think that an AppArmor-suited os is LESS secure than one without AppArmor or is your rant really only based on the fact that they chose to use AppArmor instead of SELinux and then said that it was easier to use? I have myself considered running SELinux on my systems, but there is no way in hell I will do that before I feel certain that it does what I want it to do and doesn't make it too hard for me to admin them. On the other hand your articles have shown me that there would be no point in installing AppArmor instead. For that, I thank you. Yes, of course I read the article and I didn’t mean to respond to any other articles.
I read your comments on the various articles and just wanted your response, here, on the statement from the Novell guy about Thunderbird wanting/using the cap_setuid function. If it’s a built-in function of Thunderbird, why would it be a bad idea to have AppArmor catch it, so it can be disabled? If you don’t understand that you have to go through all rules and make sure they are set right, why would you even want to try a “secure” os? What I understood from the article is that AppArmor understands that Thunderbird can use this function (but probably doesn’t, since app works even if it’s disabled - which you say it is in SELinux) and therefore lists it when investigating the app. It isn’t enabling a non-secure function to make Thunderbird less secure than without the AppArmor.
Basically, my response to this bickering back and forth between you and them is that users shouldn’t use any program if they don’t really know how it works. Especially anything security related.
Also, do you really think that an AppArmor-suited os is LESS secure than one without AppArmor or is your rant really only based on the fact that they chose to use AppArmor instead of SELinux and then said that it was easier to use?
I have myself considered running SELinux on my systems, but there is no way in hell I will do that before I feel certain that it does what I want it to do and doesn’t make it too hard for me to admin them. On the other hand your articles have shown me that there would be no point in installing AppArmor instead. For that, I thank you.

]]> By: Joshua Brindle http://securityblog.org/brindle/2006/08/20/on-apparmor/#comment-58 Joshua Brindle Mon, 21 Aug 2006 11:50:18 +0000 http://securityblog.org/brindle/2006/08/20/on-apparmor/#comment-58 Well, did you read my article? I didn't even talk about the thunderbird thing, perhaps you meant to respond on the article I referred to. However! This does show one of the outstanding failures of AppArmor, the claim is that its so easy to write a policy that anyone can, and you have the inventor of AppArmor up on stage writing a policy in 5 minutes that has unnecessary permissions (very bad ones at that) and then he admits in an email that he no idea why its there. The SELinux policy sure doesn't have cap_setuid. Policy cannot be written by people that don't know what permissions mean or what apps should be able to do with a reasonable configuration, period. Well, did you read my article? I didn’t even talk about the thunderbird thing, perhaps you meant to respond on the article I referred to.

However! This does show one of the outstanding failures of AppArmor, the claim is that its so easy to write a policy that anyone can, and you have the inventor of AppArmor up on stage writing a policy in 5 minutes that has unnecessary permissions (very bad ones at that) and then he admits in an email that he no idea why its there.

The SELinux policy sure doesn’t have cap_setuid.

Policy cannot be written by people that don’t know what permissions mean or what apps should be able to do with a reasonable configuration, period.

]]> By: Kim Nilsson http://securityblog.org/brindle/2006/08/20/on-apparmor/#comment-57 Kim Nilsson Mon, 21 Aug 2006 04:30:34 +0000 http://securityblog.org/brindle/2006/08/20/on-apparmor/#comment-57 Did you read the follow-up post? http://archives.neohapsis.com/archives/sf/www-mobile/2006-q2/0017.html ***************** > but as you posted an example profile with "capability setuid", I must > admit I am curious as to why an email client needs that. Well now that is a very good question, but it has nothing to do with AppArmor. The AppArmor learning mode just records the actions that the application performs. With or without AppArmor, the Thunderbird mail client is using cap_setuid. AppArmor gives you the opportunity to *deny* that capability, so you can try blocking it and find out. But for documentation on why Thunderbird needs it, you would have to look at mozilla.org not the AppArmor pages. Did you read the follow-up post?
http://archives.neohapsis.com/archives/sf/www-mobile/2006-q2/0017.html

*****************
> but as you posted an example profile with “capability setuid”, I must
> admit I am curious as to why an email client needs that.
Well now that is a very good question, but it has nothing to do with
AppArmor. The AppArmor learning mode just records the actions that the
application performs. With or without AppArmor, the Thunderbird mail
client is using cap_setuid. AppArmor gives you the opportunity to *deny*
that capability, so you can try blocking it and find out. But for
documentation on why Thunderbird needs it, you would have to look at
mozilla.org not the AppArmor pages.

]]>