[pkg-apparmor] Bug#879590: apparmor: Decide how we enable AppArmor by default
intrigeri at debian.org
intrigeri at debian.org
Mon Oct 23 08:06:00 UTC 2017
Package: apparmor
Version: 2.11.0-11
Severity: normal
X-Debbugs-Cc: Ben Hutchings <benh at debian.org>
Hi,
we're discussing whether to enable AppArmor by default during the
Buster cycle, but we have no actual plan wrt. how to do it.
There are several options:
A. Make AppArmor the default LSM in the kernel
i.e. set CONFIG_DEFAULT_SECURITY="apparmor"
and CONFIG_DEFAULT_SECURITY_APPARMOR=y.
That's what Ubuntu and openSUSE have been doing for ages.
It's easy, straightforward, and compatible with how
[selinux-activate] currently works, i.e. if a user has manually
enabled SELinux, it'll remain the default and AppArmor will remain
disabled. Passing security= on the kernel command line is enough to
disable AppArmor.
B. Configure bootloaders to enable AppArmor by default
On https://bugs.debian.org/702030 a nice & flexible solution was
designed; let's call it B.1. However it requires quite some work in
a number of packages, so IMO it does not fit the timeline of the
proposed experiment (while Buster == testing).
A short-term simpler option would be to drop a file in
/etc/default/grub.d/ that injects what we want into
GRUB_CMDLINE_LINUX unless another LSM is already enabled in there
(selinux-activate directly modifies /etc/default/grub). Let's call
this option B.2.
The major disadvantage of this option is that it only supports GRUB
(just like selinux-activate by the way). I haven't looked at how
much work would be required to achieve the same result with the
other major bootloaders Debian supports.
C. Anything else?
My personal preference is A > B.1. Ben & others, what do you think?
[selinux-activate] https://sources.debian.net/src/selinux-basics/0.5.6/selinux-activate/
Cheers,
--
intrigeri
More information about the pkg-apparmor-team
mailing list