Web lists-archives.com

Re: Let's enable AppArmor by default (why not?)




Hello Jeremy,

On Mon, 2017-08-07 at 08:47 -0400, Jeremy Bicha wrote:
> While there are plenty of people who recommend disabling SELinux by
> default on Fedora/RHEL (at least in the past), it's far, far less
> common to hear about anyone recommending disabling AppArmor. And
> that's one reason AppArmor is being proposed here and not SELinux.

They both serve the same purpose; to confine a running process, by the
mandated policy. The core problem is the policy, which may/will not fit
all users irrespective of the LSM implementation they use.

The previous adopters were all targeted distributions and it still took
some time for users to get accustomed to it.

RHEL confined most server packages. For the rest of the system, I
believe it ran unconfined. And they used to have a decent reporting
tool for policy violations.

SUSE used to have a robust LSM integration into YaST.

For a general purpose distribution like Debian, intri's proposal on the
server side is good. We could definitely leverage the policy files from
Ubuntu and SUSE.

But for desktop users, I worry this would cause more pain.
But I see there's an apparmor-notify package. Maybe that is the answer.
I'll check that out some time soon.


Thanks,
Ritesh

-- 
Ritesh Raj Sarraf | http://people.debian.org/~rrs
Debian - The Universal Operating System

Attachment: signature.asc
Description: This is a digitally signed message part