Web lists-archives.com

Re: recommends for apparmor in newest linux-image-4.13

Hi Laurent,

Laurent Bigonville:
> The SELinux policy could be altered to either run everything that we know is not
> ready to be confined in an unconfined domain or put that domain in permissive (which
> would result in a lot of denials being logged), so it's possible to behave more or
> less the same way as AppArmor depending of how the policy is designed.


Is there any plan to do this up to the point when it's realistic to
enable SELinux by default on Debian? Ideally this would be done early
enough so we can run the s/AppArmor/SELinux/ experiment during the
Buster cycle, and make a decision in time for Buster.

(I'm not counting on LSM stacking being finalized in time for Buster
so for now, if we want a LSM enabled by default, we need to choose
exactly one. I'd be fine with SELinux instead of AppArmor; what would
make me sad is if we remained in the "no LSM" situation much longer
only because we don't manage to pick one.)

> I feel that having Apparmor running and not doing anything will give people a false
> sense of security,

That's definitely a risk. If AppArmor ends up being enabled by default
in Debian some day, I think we can easily mitigate this risk by
carefully wording our public communication about it.

> TBH I'm a bit disappointed with upstream state of Apparmor (no D-Bus mediation,...)
> and other missing features that are still ubuntu only.

I can definitely relate to that feeling and have been frustrated about
this for years. Thankfully things have changed drastically recently:
quite a few features have been upstreamed to Linux mainline in 4.13
and 4.14, and more is upcoming, so I'm now hopeful :)