There has been a steady uptick of people stating that they will migrate (or already have) to Debian – seeking refuge from what they see as greedy corporate influence. I understand the sentiment fully. However, there’s a problem here that I want to talk about: security.
The ugly truth is that security is hard. It’s tedious. Unpleasant. And requires a lot of work to get right.
Debian does not do enough here to protect users.
Long ago, Red Hat embraced the usage of SELinux. And they took it beyond just enabling the feature in their kernel. They put in the arduous work of crafting default SELinux policies for their distribution.
…
However, its default security framework leaves much to be desired. Debian’s decision to enable AppArmor by default starting with version 10 signifies a positive step towards improved security, yet it falls short due to the half-baked implementation across the system.
…
The fundamental difference between AppArmor and SELinux lies in their approach to Mandatory Access Control (MAC). AppArmor operates on a path-based model, while SELinux employs a significantly more complex type enforcement system. This distinction becomes particularly evident in container environments.
…
The practical implications of these differences are significant. In a SELinux environment, a compromised container faces substantial hurdles in accessing or affecting the host system or other containers, thanks to the dual barriers of type enforcement and MCS labels.
TLDR: According to the author, Debian’s use of AppArmour is not as effective as RedHat’s use of SELinux when it comes to security.
The author is talking about the server use-case here but it’s not any better for desktops either. I think it boils down to the fact that neither of these operating systems are designed for a single-user world like Android (or any other modern mobile OS) and so these security solutions are shoehorned into a world where they don’t really fit into. Because those (server or desktop) programmes have different set of expectations about what’s available to them, than say, an Android app that knows that it has to ask for permission first.