Web lists-archives.com

Re: recommends for apparmor in newest linux-image-4.13


Michael Stone:
> On Wed, Nov 29, 2017 at 01:17:26PM +0100, Emilio Pozuelo Monfort wrote:
>>Nobody said problems are going to magically go away by enabling apparmor. OTOH,
>>we won't know to what extent problems exists until it gets enabled everywhere.

> Exactly the same argument can be made for selinux.

In theory, sure. In practice, well, apparently nobody made that same
argument for SELinux; I suspect there's a reason for it.

One problem with the decision making process we've gone through is
that so far, we lack information about the current state of SELinux in
Debian to be able to do a fair comparison: as far as I can tell, most
of the SELinux info that was contributed to this discussion came from
a (very nice and informative) Fedora developer and was not applying
directly to Debian. So we discussed "what would it take to enable
AppArmor by default in Buster" instead of "which LSM can/should we
enable by default in Buster?".

I'm happy to participate in the latter discussion but I won't be the
one starting and facilitating it. I think basically all the info we
need wrt. AppArmor is already on the corresponding discussion thread
and the missing bits are being gathered with the current
experimentation; if something is missing, just ask; then someone
should sum this info somewhere (I can do this but perhaps someone less
biases than me would be better). We'll need similar information about
SELinux in Debian; and if the SELinux maintainers say it's OK to try
it, let's do the same experiment for SELinux (say in 3 months, we
switch the default, enforced by default LSM from AppArmor to SELinux).

> But for some reason just turning on selinux by default to fix
> everything wasn't a good solution, but turning on apparmor for the
> same reason is. I'm trying to understand this logic.

I was familiar enough with the state of AppArmor in Debian to be
confident we could turn it on without breaking lots of critical
functionality on the vast majority of Debian testing/sid systems (the
Ubuntu experience helps a lot). I think what happened in the last two
weeks proved this point.

I'm not familiar enough with the state of SELinux in Debian to know
precisely why the SELinux maintainers did not propose enabling it by
default (it might be due to the current state being far from good
enough, it might be due to lack of resources to handle bug reports, it
might be that I was too pushy with AppArmor so they did not dare,
really I don't know). I would be very interested to get data points
about this, either from the SELinux maintainers, or from enthusiastic
users willing to enforce SELinux today on their Debian testing/sid
desktop system and report how it goes.