Re: Re: recommends for apparmor in newest linux-image-4.13

[Laurent Bigonville <bigon@debian.org>]

Theodore Ts'o wrote:

On Wed, Nov 29, 2017 at 11:51:55AM -0800, Russ Allbery wrote:

> > Michael Stone <mstone@debian.org> writes:
> > > On Tue, Nov 28, 2017 at 08:22:50PM -0800, Russ Allbery wrote:
> > 
> > >> Ubuntu has successfully shipped with AppArmor enabled.
> > 
> > > For all the packages in debian? Cool! That will save a lot of work.
> > 
> > Yes?  I mean, most of them don't have rules, so it doesn't do anything,
> > but that's how we start.  But indeed, Ubuntu has already done a ton of
> > work here, so it *does* save us quite a bit of work.
>
> The fact that AppArmor doesn't do anything if it doesn't have any
> rules is why we have a chance of enabling it by default.  The problem
> with SELinux is that it's "secure" by the security-weenies' definition
> of secure --- that is, if there isn't provision made for a particular
> application, with SELinux that application is secure the way a
> computer with thermite applied to the hard drive is secure --- it
> simply doesn't work.

The SELinux policy could be altered to either run everything that we 
know is not ready to be confined in an unconfined domain or put that 
domain in permissive (which would result in a lot of denials being 
logged), so it's possible to behave more or less the same way as 
AppArmor depending of how the policy is designed.


> Every few years, I've tried turning on SELinux on my development
> laptop.  After it completely fails and trying to make it work just
> work for the subset of application that I care about, I give up and
> turn it off again.  Having some kind of LSM enabled is, as far as I am
> concerned, better than nothing.

I feel that having Apparmor running and not doing anything will give 
people a false sense of security, on my test machine almost nothing was 
confined

TBH I'm a bit disappointed with upstream state of Apparmor (no D-Bus 
mediation,...) and other missing features that are still ubuntu only.