On Sun, Apr 16, 2017 at 8:20 AM, Christian Jäger
Hello all,
there's lots of interesting developments going on around Flatpak and Snap as application-container formats that allow for cross-distribution application sharing. An additional benefit is, of course, sandboxing.
Unfortunately, to make things more complicated, sandboxing relies on Apparmor with Snap and on SELinux with Flatpak.
Are there any plans/discussions on which road openSUSE will be going down?
Three things: 1. Flatpak does *not* require any mandatory access control (MAC). It is true that there's optional integration in bubblewrap for SELinux, but Flatpak doesn't use that part. There's also no one stopping anyone from adding an AppArmor backend. There is a pull request for Flatpak to optionally enhance its sandboxing with SELinux, but it's not merged in currently. 2. Snap's AppArmor requirements currently rely on unmerged patches to AppArmor. They were recently proposed into the Linux kernel and the current estimates is that they'll be all merged and integrated by Linux kernel 4.13. For now, AppArmor has to be disabled, which turns off all confinement, since Snap's sandboxing approach is MAC-centric. There's some work going on to figure out an approach using SELinux. 3. OpenSUSE supports AppArmor and SELinux, but by default uses AppArmor. As for picking sides and whatnot, I don't know. -- 真実はいつも一つ!/ Always, there's only one truth! -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org