The controversy around snaps is growing :-(
Tom H
tomh0665 at gmail.com
Mon May 4 17:35:54 UTC 2020
On Mon, May 4, 2020 at 5:58 PM Ralf Mardorf via ubuntu-users
<ubuntu-users at lists.ubuntu.com> wrote:
> On Mon, 4 May 2020 17:35:12 +0200, Tom H wrote:
>>
>> But one of the reasons that Fedora dislikes Snap is that it uses
>> apparmor rather than selinux.
>
> This makes no sense, since appamor is the required infrastructure to
> ensure snap's security. Since I build my kernels with
There were someplans to make Snap work with selinux. I have no idea
what came of them.
It may not make sense to you, but without apparmor or selinux, Snaps
are well-confined. GIven that Fedora's kernels only have selinux
enabled
CONFIG_DEFAULT_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX=y
# CONFIG_SECURITY_APPARMOR is not set
you need selinux-enabled Snaps to enable "full" confinement.
On Ubuntu, if Snap's ever selinux-enabled, you'll be able to use
apparmor or selinux
CONFIG_DEFAULT_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_SELINUX=y
Of course, selinux-enabled doesn't just mean having whatever selinux
"hooks" into Snap, you'll also need to have the right selinux
policies.
More information about the ubuntu-users
mailing list