On Thu, Apr 24, 2014 at 11:45:46AM +0200, Giacomo Mulas wrote:
> On Thu, 24 Apr 2014, Paul Wise wrote:
> >>Would the inclusion of more AppArmor profiles be applicable?

> >Thanks, added along with SELinux/etc.

> I second that. Actually, some time ago I tried using both AppArmor and
> SELinux, but gave up because it took forever to find legitimate behaviour of
> all kinds of common packages (most of them standard debian packages) and
> prepare configuration files for things to work. If debian wants to foster
> adoption of such security enhancements, it must go to great lengths in
> making sure that (in order of importance in my humble opinion)

> 1) all debian-packaged software works (very nearly) out of the box with
> debian-supported MAC frameworks. It should be very clear that if they don't
> it's an important bug that needs fixing. For example, such bugs should
> prevent the inclusion of a package in an official stable release. Or split
> the main debian archive in two, one that is MAC-ready and one that is not,
> so each user can decide to only use packages known to work well with
> debian-supported MAC frameworks.

The apparmor policies in Debian apply a principle of minimal harm, confining
only those services for which someone has taken the time to verify the
correct profile.  There are obviously pros and cons to each approach to MAC,
which I'm not interested in arguing about; but one of the pros of the
approach taken for apparmor is that all software *does* continue to work out
of the box.  If you found it otherwise, I think you should be filing a bug
report against apparmor.

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slanga...@ubuntu.com                                     vor...@debian.org

Attachment: signature.asc
Description: Digital signature

Reply via email to