Am 22.07.24 um 14:55 schrieb Neal Gompa:
On Mon, Jul 22, 2024 at 8:48 AM Dominique Leuenberger <dimstar@opensuse.org> wrote:
Don't misunderstand me: I do support the switch to SELinux by default, as it is perfectly in line with the Factory First Policy and SELinux is where most resources are these days. Just genuinely worried about userss that went beyond the 'trust the default aa settings or, in case of trouble, disabled it on first impact' (See e.g. Darix' reply on this thread. He, for one, is a very active AA user wihtout much chance to ever migrate to SELinux).
I think we could come up with a migration package to handle this, including switching around kernel arguments on existing systems to ensure existing AA systems stay with AA as the kconfig defaults change.
any defaults for non-essential (and potentially breaking old installs) stuff like that in the kernel config seems awkward to me, even the current apparmor default should not be there IMVHO (maybe it is required to have one module as default, no idea), but probably cannot be removed in order to not break old systems. I mean we also do not hard code the root device via "rdev" since quite some time in the kernel image ;-) -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman