Re: recommends for apparmor in newest linux-image-4.13

[Wouter Verhelst <wouter@debian.org>]

On Sun, Dec 10, 2017 at 04:21:18PM -0500, Theodore Ts'o wrote:
> On Wed, Dec 06, 2017 at 11:24:45AM +0100, Laurent Bigonville wrote:
> > The SELinux policy could be altered to either run everything that we know is
> > not ready to be confined in an unconfined domain or put that domain in
> > permissive (which would result in a lot of denials being logged), so it's
> > possible to behave more or less the same way as AppArmor depending of how
> > the policy is designed.
> 
> It "could" be altered the same way that anyone "could" modify a
> sendmail.cf file.  Someone "could" create a program which plays the
> game of Go written raw assembly language.

I think Laurent was wearing his "contributor to the Debian SELinux
packages" hat in that that was one of the options if that's wanted,
rather than the more "theoretically this is possible" thing you seem to
be referring to.

> If it "could" be done, why hasn't been done in the past decade?

Because nobody ever thought it would be a good idea? But ideas and
thoughts can change.

-- 
Could you people please use IRC like normal people?!?

  -- Amaya Rodrigo Sastre, trying to quiet down the buzz in the DebConf 2008
     Hacklab