DESCRIPTION: AppArmor improves security by limiting the capabilities of programs. Ubuntu has done this years ago [1]. I'd like to see profiles for web browsers enabled by default.
I think AppArmor is the right choice of default Mandatory Access Control for Debian because Ubuntu and security focused Debian derivatives like Tails [2] and SubgraphOS [3] have already committed to it.
AppArmor is like SELinux though: it's annoying so people just turn it off. Most recent example I encountered was on Ubuntu 1604; I wanted to run VMs under QEMU/KVM with libvirt but AppArmor was preventing the VM from using a USB device from the host. Just by chance I took a look at dmesg and saw some audit message about qemu bridge helper.
Because Debian has already done much work on integrating AppArmor [1].
And Debian based distro's like Ubuntu, Tails, and Subgraph also work on AppArmor so choosing AppArmor over SELinux means overall less work for the Debian community.
SELinux is more secure, flexible and comprehensive, so Debian should adopt it by default...
Anyway if AppArmor gets selected by default, I hope I can switch somewhat easily to SELinux if I want to.
DESCRIPTION: AppArmor improves security by limiting the capabilities of programs. Ubuntu has done this years ago [1]. I'd like to see profiles for web browsers enabled by default.
I think AppArmor is the right choice of default Mandatory Access Control for Debian because Ubuntu and security focused Debian derivatives like Tails [2] and SubgraphOS [3] have already committed to it.
[1]: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorP...
[2]: https://tails.boum.org/contribute/design/application_isolati...
[3]: https://subgraph.com/