Ubuntu's AppArmor system is reasonably and pleasantly non-obnoxious
I have historically not had much love for extra access control systems layered on top of Linux, such as SELinux. We don't have very high opinions of Ubuntu's AppArmor system either and have mostly avoided dealing with it, but after recently having to do things with it I have to say that it's at least not particularly obnoxious.
What drove us to having something to do with AppArmor at all was that it keeps getting restarted every so often on machines where we let users run MySQL daemons (for example for user-run web server setups). When users are running MySQL this way, the MySQL database files are of course not where the AppArmor profile expects them to be, so the moment AppArmor starts up, all user-run MySQL daemons fall over dead (or fail to start). Once this had happened a few times we both figured out what was going on and got sick of it, so we needed to permanently defang AppArmor here, which meant actually understanding at least part of AppArmor.
This, well, it wasn't too bad. It was even reasonably okay. Without too much trouble we were able to read the existing AppArmor profile and work out both a way of adding decently appropriate AppArmor access permissions for where our user MySQL databases should be and also a way of permanently disabling MySQL confinement even when AppArmor is running (we opted to do the latter). Figuring out the new rules necessary was a sufficiently pleasant experience that I can actually imagine working with AppArmor and writing AppArmor profiles without hating myself.
Two things that help a bunch are that AppArmor profiles are plain
text and they're generally written about paths in the filesystem.
Plain text makes them readable, and directly using filesystem paths
makes them easy to reason about; it is pretty obvious what allowing
the process owner to access their own files under '/w/*/*/**
'
will do (for one example). AppArmor also has a relatively clean
model of site-specific additions and overrides for standard policies,
and as yet another plus, the AppArmor status reporting tool actually
has useful information about the overall state of your system.
(I will note that the other thing a good text format is good for is having comments. Comments are really good for understanding why something is in a policy. Even file naming can help here.)
I'm sure that AppArmor is strictly less powerful and capable than SELinux, both in theory and in practice based on how people write actual policies (since fine-grained policies are a problem). But it's a lot more usable in practice for a non-expert, sufficiently so that I would be willing to consider using it on one of my machines.
(Other handy links for AppArmor stuff include Ubuntu's page on debugging AppArmor and the quick guide to the profiling language as well as the documentation in general.)
|
|