> Michael Stone <mstone@debian.org> writes:
> > On Tue, Nov 28, 2017 at 08:22:50PM -0800, Russ Allbery wrote:
>
> >> Ubuntu has successfully shipped with AppArmor enabled.
>
> > For all the packages in debian? Cool! That will save a lot of work.
>
> Yes? I mean, most of them don't have rules, so it doesn't do anything,
> but that's how we start. But indeed, Ubuntu has already done a ton of
> work here, so it *does* save us quite a bit of work.
The fact that AppArmor doesn't do anything if it doesn't have any
rules is why we have a chance of enabling it by default. The problem
with SELinux is that it's "secure" by the security-weenies' definition
of secure --- that is, if there isn't provision made for a particular
application, with SELinux that application is secure the way a
computer with thermite applied to the hard drive is secure --- it
simply doesn't work.
Every few years, I've tried turning on SELinux on my development
laptop. After it completely fails and trying to make it work just
work for the subset of application that I care about, I give up and
turn it off again. Having some kind of LSM enabled is, as far as I am
concerned, better than nothing.