On Thu, Apr 24, 2014 at 11:45:46AM +0200, Giacomo Mulas wrote: > On Thu, 24 Apr 2014, Paul Wise wrote: > >>Would the inclusion of more AppArmor profiles be applicable? > >Thanks, added along with SELinux/etc. > I second that. Actually, some time ago I tried using both AppArmor and > SELinux, but gave up because it took forever to find legitimate behaviour of > all kinds of common packages (most of them standard debian packages) and > prepare configuration files for things to work. If debian wants to foster > adoption of such security enhancements, it must go to great lengths in > making sure that (in order of importance in my humble opinion) > 1) all debian-packaged software works (very nearly) out of the box with > debian-supported MAC frameworks. It should be very clear that if they don't > it's an important bug that needs fixing. For example, such bugs should > prevent the inclusion of a package in an official stable release. Or split > the main debian archive in two, one that is MAC-ready and one that is not, > so each user can decide to only use packages known to work well with > debian-supported MAC frameworks. The apparmor policies in Debian apply a principle of minimal harm, confining only those services for which someone has taken the time to verify the correct profile. There are obviously pros and cons to each approach to MAC, which I'm not interested in arguing about; but one of the pros of the approach taken for apparmor is that all software *does* continue to work out of the box. If you found it otherwise, I think you should be filing a bug report against apparmor. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slangasek@ubuntu.com vorlon@debian.org
Attachment:
signature.asc
Description: Digital signature