Web lists-archives.com

Re: Let's enable AppArmor by default (why not?)




On Fri, 2017-08-04 at 19:31 -0400, intrigeri wrote:
> tl;dr: I hereby propose we enable AppArmor by default in testing/sid,
> and decide one year later if we want to keep it this way in the
> Buster release.

On most systems, people tend to disable LSM first. Because many a times
an inadequate policy hinders the use of the tool. And on the desktop
machine this becomes more common an issue.

On the SELinux side, there used to be a nice reporting tool for the
desktop, setroubleshoot. It used to alert (graphical and console) any
policy violations.

A DE agnostic alert tool would be necessary for wide adoption of any
LSM implementation.

In my opinion, we should start with an alert tool (to report policy
violations), and a handful of server packages.


-- 
Given the large number of mailing lists I follow, I request you to CC
me in replies for quicker response

Attachment: signature.asc
Description: This is a digitally signed message part