[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Let's enable AppArmor by default (why not?)

On Sun, Aug 06, 2017 at 01:27:49PM +0500, Andrey Rahmatullin wrote:
> On Sun, Aug 06, 2017 at 07:28:08AM +0000, Dr. Bas Wijnen wrote:
> > I can't think of a situation where you would not want it
> The "I don't want yet another thing that can cause subtle breakages and
> doesn't give me anything" situation (see disabling selinux after install
> on RH systems).

It actually does give you anything, and debugging SELinux breakages is
fairly simple, with the fix usually being rather small.

For a while after RedHat started enabling SELinux by default on their
systems, a number of security researchers yelled "I've found an
exploitable bug in RedHat" for which the first step to exploit was
always "first, disable SELinux". I'm not saying that that's not a
problem, but it *does* show that using SELinux or AppArmor has benefits.

I think enabling an LSM by default is a good idea, and we should do it
if we can. The "subtle breakages" you mention are annoying for you, but
they can be a showstopper for an attacker, and that's a *good* thing.
Yes, obviously when we enable an LSM we should also make it easy for
users to understand that something is blocked by the LSM and explain to
them how they can unblock it if they want to. But just saying "it causes
issues, let's not" is the same as saying "permissions on the file system
causes issues, let's install to FAT32 everywhere", and that's just not a
good idea.

Could you people please use IRC like normal people?!?

  -- Amaya Rodrigo Sastre, trying to quiet down the buzz in the DebConf 2008

Reply to: