On Mon, Jun 17, 2019 at 4:03 AM Ondrej Mosnacek <omosnace(a)redhat.com> wrote:
On Thu, Jun 13, 2019 at 1:59 PM Jason Long <hack3rcon(a)yahoo.com> wrote:
> Thanks, but I meant was can AppArmor cause no Linux distro use SELinux anymore and
use AppArmor instead of SELinux?
Why would you want to do that? What benefit would it bring to Fedora?
To be blunt, the poor adoption of SELinux in other distros is largely
because the reference SELinux policy maintained by Tresys doesn't work
at all. I wish Red Hat SELinux engineers would reach out to other
distros and help them transition to our SELinux policy
implementation[1], because it actually _works_.
For example, SUSE supports SELinux and AppArmor, but the
selinux-policy package they have is based on refpolicy, which is
horribly broken. Someone should work with them to migrate to the
fedora-selinux policy.
In Debian, they've been so paralyzed about how to do security in the
first place, they did nothing for over a decade. They have a hard time
making any kind of decision.
Ubuntu had an SELinux expert over a decade ago, but he moved to Google
and wrote the SELinux policies for Chrome OS and Android, as both use
SELinux.
If Red Hat were to help other distros support SELinux using our policy
and our enhanced tools, then the community around SELinux would be
much stronger and there'd be much more usage and upstream support for
it due to the higher exposure.
[1]:
https://github.com/fedora-selinux/selinux-policy
--
真実はいつも一つ!/ Always, there's only one truth!