Web lists-archives.com

Re: recommends for apparmor in newest linux-image-4.13




On Wed, Nov 29, 2017 at 12:03:08AM +0100, Marco d'Itri wrote:
On Nov 28, Christoph Hellwig <hch@xxxxxx> wrote:
It's just a bad idea of a security model that implements ad-hoc
and mostly path based restrictions instead of an actually verified
security model.  Using that by default makes it much harder to actually
use a real MAC based security model, which not only is required for
various security sensitive deployments but also a good idea in general.
This may be true, but OTOH nobody cared enough about SELinux to actually
make it work out of the box in Debian.

By that criteria, it doesn't seem like anyone cares about apparmor either...
FWIW, I also think apparmor a bad idea, but it's somehow morphed
from "can we make it possible to turn apparmor on" to "let's make RC bugs for stuff that doesn't work with apparmor" without much real buy-in AFAICT.

Mike Stone