Which MAC to use

Linux_Kidd · 01-11-2012, 10:39 AM

i am trying to get a feeling of which MAC package you feel is better. this is not a "which one do you use" poll.

for those who have had a chance to use each of these, which one do you feel provides the best protection?

SELinux
GRSecurity
AppArmor

przemek.klosowski · 01-17-2012, 04:47 PM

SELinux in my opinion has the most development momentum. I really appreciate Dan Walsh's commitment to fixing problems and answering questions on the devel lists

Linux_Kidd · 01-17-2012, 09:03 PM

Quote:

Originally Posted by przemek.klosowski

SELinux in my opinion has the most development momentum. I really appreciate Dan Walsh's commitment to fixing problems and answering questions on the devel lists

thnx for this input, exactly the stuff i am looking for.
i read a bunch about AppArmor, how easy it is, easy to understand, yada yada yada, but when you factor in its for a dying breed i want to shy away from it, etc.

GRsecurity also seems to have some followers. some places like phoenixnap.com use GRsecurity religiously, my guess is because GRsec has more pre-built selections than SElinux does, but i lean more towards protection ability and robust support vs. out-of-the-box pre-built settings.

ryran · 01-18-2012, 01:00 PM

I have no familiarity with AppArmor and have never even heard of GRSecurity.

What is now known as SELinux is a MAC system that evolved from patches to the kernel created by the United States of America's NSA (National Security Agency) for their own use (and before that, whole MAC operating systems). I have no reason to convince anyone one way or another.. times change.. needs and software evolve.. new ideas emerge.... but SELinux is rock-solid and has a lot of developer backing (thank you very much, Red Hat).

Linux_Kidd · 01-18-2012, 01:52 PM

Quote:

Originally Posted by ryran

I have no familiarity with AppArmor and have never even heard of GRSecurity.

What is now known as SELinux is a MAC system that evolved from patches to the kernel created by the United States of America's NSA (National Security Agency) for their own use (and before that, whole MAC operating systems). I have no reason to convince anyone one way or another.. times change.. needs and software evolve.. new ideas emerge.... but SELinux is rock-solid and has a lot of developer backing (thank you very much, Red Hat).

well, others are indeed on the heels of RH. GRsec is nifty and from what i can tell its gaining attention.

ryran · 01-18-2012, 03:16 PM

Quote:

Originally Posted by Linux_Kidd

well, others are indeed on the heels of RH. GRsec is nifty and from what i can tell its gaining attention.

First of all, SELinux is not just Red Hat. I think RHT had the will and the resources to make SELinux happen, but they didn't do it just for themselves.

Like I said, new ideas emerge, better ways to do things are thought of ... this is how upstart and then systemd came along. After doing some reading, of course I can agree that GRSec looks promising, but if someone wants a comprehensive MAC solution for linux, it seems like SELinux is still the best choice. Also, I'm surprised you didn't mention TOMOYO -- from what I understand, it's a lot more alive than AppArmor.

Also, I'm sure you've already googled about this, but the conclusion from this paper is .. well, something.

Quote:

9 Conclusions
After doing a thorough theoretical and practical comparison between SELinux and grsecurity, we
were able to make several broad conclusions about the potential advantages and disadvantages of
each system with respect to the other. We purposely compared the two in terms of their theory
and practicality so as to provide a deeper understanding of how one vies with the other. It is
common knowledge that theory and practice are two very different entities and sometimes a
system which appears to be more theoretically sound than another is sometimes less practical.

9.1 Conclusions Pertaining to Theory
From a theoretical standpoint, SELinux is a more powerful access control mechanism, since it
incorporates role-based access control (RBAC). Nevertheless, we believe the two theories allow
for sound security models. They both allow for easy control of access between processes and
objects, processes and other processes, and objects and other objects.

9.2 Conclusions Pertaining to Practice
The tools and capabilities that come with each set one security system apart from the other. The
Flask architecture in SELinux provides for a flexible security policy. This means that the
administrator can very easily manipulate and customize the policy by simply modifying a set of
policy files written in a policy language set forth by the developers of SELinux. The policy
language is not so easy to learn but allows for efficient methods of customization. Based upon
our experimental implementation of a security policy using SELinux, we conclude that this
policy language is powerful and robust and should be considered (by one choosing to use one
security system over the other) as the most dominating advantage it has. Grsecurity, on the other
hand, comes with the gradm tool, which is capable of programmatically optimizing and finetuning
ACLs in the operating system. In basing his choice on whether he likes one system over
the other, one should first decide whether he wants the flexibility but semi-difficulty that
SELinux offers or the somewhat inflexibility but ease that grsecurity offers.

In terms of performance of one system over the other, we conclude that they are generally equal
in quality. Although, we noted several small differences of performance in very specific areas,
we believe that these differences balance out and do not hold much water in helping one choose
his preference of one system over the other.