Hi, Michael Stone: > On Wed, Nov 29, 2017 at 01:17:26PM +0100, Emilio Pozuelo Monfort wrote: >>Nobody said problems are going to magically go away by enabling apparmor. >>OTOH, >>we won't know to what extent problems exists until it gets enabled everywhere.
> Exactly the same argument can be made for selinux. In theory, sure. In practice, well, apparently nobody made that same argument for SELinux; I suspect there's a reason for it. One problem with the decision making process we've gone through is that so far, we lack information about the current state of SELinux in Debian to be able to do a fair comparison: as far as I can tell, most of the SELinux info that was contributed to this discussion came from a (very nice and informative) Fedora developer and was not applying directly to Debian. So we discussed "what would it take to enable AppArmor by default in Buster" instead of "which LSM can/should we enable by default in Buster?". I'm happy to participate in the latter discussion but I won't be the one starting and facilitating it. I think basically all the info we need wrt. AppArmor is already on the corresponding discussion thread and the missing bits are being gathered with the current experimentation; if something is missing, just ask; then someone should sum this info somewhere (I can do this but perhaps someone less biases than me would be better). We'll need similar information about SELinux in Debian; and if the SELinux maintainers say it's OK to try it, let's do the same experiment for SELinux (say in 3 months, we switch the default, enforced by default LSM from AppArmor to SELinux). > But for some reason just turning on selinux by default to fix > everything wasn't a good solution, but turning on apparmor for the > same reason is. I'm trying to understand this logic. I was familiar enough with the state of AppArmor in Debian to be confident we could turn it on without breaking lots of critical functionality on the vast majority of Debian testing/sid systems (the Ubuntu experience helps a lot). I think what happened in the last two weeks proved this point. I'm not familiar enough with the state of SELinux in Debian to know precisely why the SELinux maintainers did not propose enabling it by default (it might be due to the current state being far from good enough, it might be due to lack of resources to handle bug reports, it might be that I was too pushy with AppArmor so they did not dare, really I don't know). I would be very interested to get data points about this, either from the SELinux maintainers, or from enthusiastic users willing to enforce SELinux today on their Debian testing/sid desktop system and report how it goes. Cheers, -- intrigeri
