Frequently asked Questions about AppArmor
Having completed the SLES10 AppArmor blog series last week, several questions about SAP and AppArmor came up. This blog will give you answers to your questions and maybe answers questions you didn’t ask yet. Overall, you will have a better overview where you, SAP and AppArmor will be in the future. If you have unanswered questions, please use the comment function at the bottom of the page to ask them.
What happens to AppArmor, after Novell lay off the team?
Today, Novell ships AppArmor with SLES10 and I’m pretty sure, that SLES11 will have AppArmor as well. There is a really nice and easy to use security technology available for Novell’s SUSE Enterprise Server and Desktop, including the corresponding YaST2 modules. It would be very simpleminded to drop such a technology. My guess is, that Novell will stay with AppArmor.
Is AppArmor only used in Novell’s SLES/SLED?
No, currently there are two distributions on their way to include AppArmor as well: Ubuntu 7.10 and Mandriva 2008. Having SLES for your SAP servers and Ubuntu or Mandriva for your desktops gives you the chance to use one unified security technology. This will cut down costs for administration and maintenance for both, clients and servers.
Will SAP certify AppArmor?
The situation for third party technologies (e.g. high availability solutions) using the Linux platform is as follows. The LinuxLab does not certify any third party solution at all. There are several consulting companies, which will implement these technologies at customer site and the same procedure does apply for AppArmor as well. You have to get in contact with a consulting company providing such services. I heard of Mercenary Linux or REALTECH being able to do so. Just ask them!
Will SAP support AppArmor?
There is no clear Yes or No in this case. Of course you can use AppArmor with your SAP application or database servers. This scenario may run without problems forever. But there are restrictions by SAP and other third party vendors (e.g. Oracle) in place. In case of issues with SAP software, the SAP support is going to get involved and may demand that you turn off AppArmor. Software security technologies are known for the fact, that they restrict action of certain subjects and objects. Software may malfunction at one point, so first it has to be proven, that the security software does, or does not, cause the issue. Having the proof, that the security software causes the problem, check if there is a wrong policy in place or a bug in the security software itself caused the issue. If the issue is reproducible without any security software running, the SAP support will of course take over.
Will SAP provide an AppArmor policy?
Besides the simple policies of the AppArmor blog series, there will be no AppArmor policies made by SAP. It is up to you, who create AppArmor policies for your SAP system. Do it yourself or query a consulting company to do so.
Will SAP provide policies for SELinux?
No, same answer as above.