Hi Laurent, Laurent Bigonville: > The SELinux policy could be altered to either run everything that we know is > not > ready to be confined in an unconfined domain or put that domain in permissive > (which > would result in a lot of denials being logged), so it's possible to behave > more or > less the same way as AppArmor depending of how the policy is designed.
Great! Is there any plan to do this up to the point when it's realistic to enable SELinux by default on Debian? Ideally this would be done early enough so we can run the s/AppArmor/SELinux/ experiment during the Buster cycle, and make a decision in time for Buster. (I'm not counting on LSM stacking being finalized in time for Buster so for now, if we want a LSM enabled by default, we need to choose exactly one. I'd be fine with SELinux instead of AppArmor; what would make me sad is if we remained in the "no LSM" situation much longer only because we don't manage to pick one.) > I feel that having Apparmor running and not doing anything will give people a > false > sense of security, That's definitely a risk. If AppArmor ends up being enabled by default in Debian some day, I think we can easily mitigate this risk by carefully wording our public communication about it. > TBH I'm a bit disappointed with upstream state of Apparmor (no D-Bus > mediation,...) > and other missing features that are still ubuntu only. I can definitely relate to that feeling and have been frustrated about this for years. Thankfully things have changed drastically recently: quite a few features have been upstreamed to Linux mainline in 4.13 and 4.14, and more is upcoming, so I'm now hopeful :) Cheers, -- intrigeri
