Theodore Ts'o wrote:
On Wed, Nov 29, 2017 at 11:51:55AM -0800, Russ Allbery wrote:
> Michael Stone <mst...@debian.org> writes:
> > On Tue, Nov 28, 2017 at 08:22:50PM -0800, Russ Allbery wrote:
>
> >> Ubuntu has successfully shipped with AppArmor enabled.
>
> > For all the packages in debian? Cool! That will save a lot of work.
>
> Yes? I mean, most of them don't have rules, so it doesn't do anything,
> but that's how we start. But indeed, Ubuntu has already done a ton of
> work here, so it *does* save us quite a bit of work.
The fact that AppArmor doesn't do anything if it doesn't have any
rules is why we have a chance of enabling it by default. The problem
with SELinux is that it's "secure" by the security-weenies' definition
of secure --- that is, if there isn't provision made for a particular
application, with SELinux that application is secure the way a
computer with thermite applied to the hard drive is secure --- it
simply doesn't work.
The SELinux policy could be altered to either run everything that we
know is not ready to be confined in an unconfined domain or put that
domain in permissive (which would result in a lot of denials being
logged), so it's possible to behave more or less the same way as
AppArmor depending of how the policy is designed.
Every few years, I've tried turning on SELinux on my development
laptop. After it completely fails and trying to make it work just
work for the subset of application that I care about, I give up and
turn it off again. Having some kind of LSM enabled is, as far as I am
concerned, better than nothing.
I feel that having Apparmor running and not doing anything will give
people a false sense of security, on my test machine almost nothing was
confined
TBH I'm a bit disappointed with upstream state of Apparmor (no D-Bus
mediation,...) and other missing features that are still ubuntu only.
