Hello Jeremy, On Mon, 2017-08-07 at 08:47 -0400, Jeremy Bicha wrote: > While there are plenty of people who recommend disabling SELinux by > default on Fedora/RHEL (at least in the past), it's far, far less > common to hear about anyone recommending disabling AppArmor. And > that's one reason AppArmor is being proposed here and not SELinux. They both serve the same purpose; to confine a running process, by the mandated policy. The core problem is the policy, which may/will not fit all users irrespective of the LSM implementation they use. The previous adopters were all targeted distributions and it still took some time for users to get accustomed to it. RHEL confined most server packages. For the rest of the system, I believe it ran unconfined. And they used to have a decent reporting tool for policy violations. SUSE used to have a robust LSM integration into YaST. For a general purpose distribution like Debian, intri's proposal on the server side is good. We could definitely leverage the policy files from Ubuntu and SUSE. But for desktop users, I worry this would cause more pain. But I see there's an apparmor-notify package. Maybe that is the answer. I'll check that out some time soon. Thanks, Ritesh -- Ritesh Raj Sarraf | http://people.debian.org/~rrs Debian - The Universal Operating System
Attachment:
signature.asc
Description: This is a digitally signed message part