Web lists-archives.com

Re: Re: recommends for apparmor in newest linux-image-4.13

Theodore Ts'o wrote:

On Wed, Nov 29, 2017 at 11:51:55AM -0800, Russ Allbery wrote:

> Michael Stone <mstone@xxxxxxxxxx> writes:
> > On Tue, Nov 28, 2017 at 08:22:50PM -0800, Russ Allbery wrote:
> > >> Ubuntu has successfully shipped with AppArmor enabled. > > > For all the packages in debian? Cool! That will save a lot of work. > > Yes? I mean, most of them don't have rules, so it doesn't do anything,
> but that's how we start.  But indeed, Ubuntu has already done a ton of
> work here, so it *does* save us quite a bit of work.

The fact that AppArmor doesn't do anything if it doesn't have any
rules is why we have a chance of enabling it by default.  The problem
with SELinux is that it's "secure" by the security-weenies' definition
of secure --- that is, if there isn't provision made for a particular
application, with SELinux that application is secure the way a
computer with thermite applied to the hard drive is secure --- it
simply doesn't work.

The SELinux policy could be altered to either run everything that we know is not ready to be confined in an unconfined domain or put that domain in permissive (which would result in a lot of denials being logged), so it's possible to behave more or less the same way as AppArmor depending of how the policy is designed.

Every few years, I've tried turning on SELinux on my development
laptop.  After it completely fails and trying to make it work just
work for the subset of application that I care about, I give up and
turn it off again.  Having some kind of LSM enabled is, as far as I am
concerned, better than nothing.

I feel that having Apparmor running and not doing anything will give people a false sense of security, on my test machine almost nothing was confined

TBH I'm a bit disappointed with upstream state of Apparmor (no D-Bus mediation,...) and other missing features that are still ubuntu only.