On 11/29/2013 4:31 PM, Claudio Freire wrote:
That would be fine -- I just said it needs to be made clear at install time that a non-standard security policy is being turned on and that not doing so is bad practice (unless you are trying to be microsoft...?) Next up? Trying to be Sony with a rootkit install for the user's own good?
Mind you, SELinux and AppArmor are both quite standard.
==== The default security policy is *standard*. The others are not built unless you choose optional security models. From the kernel configuration Kconfig file: choice prompt "Default security module" default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX default DEFAULT_SECURITY_SMACK if SECURITY_SMACK default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR default DEFAULT_SECURITY_YAMA if SECURITY_YAMA default DEFAULT_SECURITY_DAC --- if nothing is chosen, DAC, which has been the only "standard" security policy (in terms of it being most widely deployed or used). That doesn't mean it is the best --- determining that is based on your needs. Thinking that 1 of the above fits "all"; is better for everyone; and should be made the default w/o user input is seems to be a perfect fit for the word "hubris". ([http://en.wikipedia.org/wiki/Hubris]).
And, if you read the release notes for 13.1, section 5.11. AppArmor and Permission Settings, you'd know.
And those are displayed during the install flow, where? I seem to have missed where they are displayed before installation. Under Hubris, it is mentioned that it is associated with "shaming the victim", like inferring that they "should have done something", or making statements like: "As always in security, you're quite naive". AFAIK, they are not part of the install flow (not that people generally read long lists of notes when they just want to install it and have it "work") -- which, if it did, the OP would never have posted. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org