Package: apparmor Version: 2.11.0-11 Severity: normal X-Debbugs-Cc: Ben Hutchings <b...@debian.org>
Hi, we're discussing whether to enable AppArmor by default during the Buster cycle, but we have no actual plan wrt. how to do it. There are several options: A. Make AppArmor the default LSM in the kernel i.e. set CONFIG_DEFAULT_SECURITY="apparmor" and CONFIG_DEFAULT_SECURITY_APPARMOR=y. That's what Ubuntu and openSUSE have been doing for ages. It's easy, straightforward, and compatible with how [selinux-activate] currently works, i.e. if a user has manually enabled SELinux, it'll remain the default and AppArmor will remain disabled. Passing security= on the kernel command line is enough to disable AppArmor. B. Configure bootloaders to enable AppArmor by default On https://bugs.debian.org/702030 a nice & flexible solution was designed; let's call it B.1. However it requires quite some work in a number of packages, so IMO it does not fit the timeline of the proposed experiment (while Buster == testing). A short-term simpler option would be to drop a file in /etc/default/grub.d/ that injects what we want into GRUB_CMDLINE_LINUX unless another LSM is already enabled in there (selinux-activate directly modifies /etc/default/grub). Let's call this option B.2. The major disadvantage of this option is that it only supports GRUB (just like selinux-activate by the way). I haven't looked at how much work would be required to achieve the same result with the other major bootloaders Debian supports. C. Anything else? My personal preference is A > B.1. Ben & others, what do you think? [selinux-activate] https://sources.debian.net/src/selinux-basics/0.5.6/selinux-activate/ Cheers, -- intrigeri