[Bug 1208011] New: Editing profiles apparmor section is missing in Tumbleweed ?
http://bugzilla.opensuse.org/show_bug.cgi?id=1208011 Bug ID: 1208011 Summary: Editing profiles apparmor section is missing in Tumbleweed ? Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: openSUSE Tumbleweed Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor Assignee: suse-beta@cboltz.de Reporter: c.j@tuta.io QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- The option to edit profiles described here is missing ? https://doc.opensuse.org/documentation/leap/security/html/book-security/cha-... I am trying to block the internet access for an app. 1. How can I do this in Tumbleweed? 2. Even better if you can tell me: How to allow LAN connections (so the app can access the network printer, scanner etc...) but block outgoing to the public internet. Thanks ! -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1208011 http://bugzilla.opensuse.org/show_bug.cgi?id=1208011#c1 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|suse-beta@cboltz.de |fs@suse.com --- Comment #1 from Christian Boltz <suse-beta@cboltz.de> --- (In reply to C J from comment #0)
The option to edit profiles described here is missing ?
https://doc.opensuse.org/documentation/leap/security/html/book-security/cha- apparmor-yast.html
Right. The YaST module for AppArmor was rewritten some years ago (the old version was basically unmaintained, and unmaintainable, because it was based on obsolete AppArmor code). During that rewrite, the feature to edit a profile was dropped - not a big loss IMHO because any text editor is better ;-) @documentation team: please update the documentation about YaST2 AppArmor ;-) (AFAIK Leap also has the rewritten YaST module, but please double-check to be sure)
I am trying to block the internet access for an app.
1. How can I do this in Tumbleweed?
You can edit the file in /etc/apparmor.d/ directly (use vim if you want syntax hightlighting, but in general any editor will work). You'll need rules like deny network inet stream, deny network inet6 stream, Afterwards run rcapparmor reload to reload the updated profile. You can also use aa-logprof to update the profile. For completeness: If the profile is in enforce mode (and your profile doesn't have any rule or abstraction that allows network access), then those deny rules "just" silence the logging because the default is to deny everything that is not allowed.
2. Even better if you can tell me: How to allow LAN connections (so the app can access the network printer, scanner etc...) but block outgoing to the public internet.
You can use network rules to allow or deny network connections, but unfortunately it's not possible to specify IPs or network ranges in the network rules (yet, it's on the upstream wishlist). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1208011 http://bugzilla.opensuse.org/show_bug.cgi?id=1208011#c2 --- Comment #2 from C J <c.j@tuta.io> --- (In reply to Christian Boltz from comment #1) Many thanks for the help and comprehensive feedback!
During that rewrite, the feature to edit a profile was dropped - not a big loss IMHO because any text editor is better ;-)
But isn't this the reason for yast, the gui -> the major feature opensuse has over all the other distributions (also snapper)? You remove these things, opensuse is just like every other distribution. If so, why not just remove Yast and replace it with a link to the archlinux WIKI ? (I think you get the point, I'll let you think about it). Thanks! -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com