[opensuse-factory] with apparmor enabled by default, shouldn't all packages come with an apparmor profile?
Now that we have reverted to having apparmor enabled by default, shouldn't we also require (or least suggest) that all packages include a suitable apparmor profile? Running "aa-logprof" is no big deal for an experienced admin, but having ready-to-go apparmor profiles would make life easier for the newbie. -- Per Jessen, Zürich (2.6°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 8. Dezember 2013 12:43:51 schrieb Per Jessen <per@computer.org>:
Now that we have reverted to having apparmor enabled by default, shouldn't we also require (or least suggest) that all packages include a suitable apparmor profile?
No. But whover decided that will get all bugs assigned by default.
Running "aa-logprof" is no big deal for an experienced admin, but having ready-to-go apparmor profiles would make life easier for the newbie.
Haha, good one. I have seen several profiles created by "experienced admins" and its really hard to not open up more than you have too. Do you know why we switched it off by default in the first place?
-- Per Jessen, Zürich (2.6°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland.
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Mon, Dec 9, 2013 at 5:29 AM, Sascha Peilicke <speilicke@suse.com> wrote:
Running "aa-logprof" is no big deal for an experienced admin, but having ready-to-go apparmor profiles would make life easier for the newbie.
Haha, good one. I have seen several profiles created by "experienced admins" and its really hard to not open up more than you have too. Do you know why we switched it off by default in the first place?
False sense of security due to bad profiles? I would like, however, that packagers were encouraged (while not forced) to provide profiles. Good ones or not, that should be decided in a review by the security team I'd guess. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Claudio Freire wrote:
On Mon, Dec 9, 2013 at 5:29 AM, Sascha Peilicke <speilicke@suse.com> wrote:
Running "aa-logprof" is no big deal for an experienced admin, but having ready-to-go apparmor profiles would make life easier for the newbie.
Haha, good one. I have seen several profiles created by "experienced admins" and its really hard to not open up more than you have too. Do you know why we switched it off by default in the first place?
False sense of security due to bad profiles?
I would like, however, that packagers were encouraged (while not forced) to provide profiles.
That's what I had in mind - just a warning somewhere appropriate when no profile is included (or not marked as "not needed"). -- Per Jessen, Zürich (-1.2°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tue, Dec 10, 2013 at 08:20:17AM +0100, Per Jessen wrote:
Claudio Freire wrote:
I would like, however, that packagers were encouraged (while not forced) to provide profiles.
That's what I had in mind - just a warning somewhere appropriate when no profile is included (or not marked as "not needed").
Probably not all packages, only those with SUID/SGID binaries or network daemons. But while it is easy to recognize the former, I doubt recognizing the latter can be automated. Michal Kubeček -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2013-12-10 at 09:00 +0100, Michal Kubecek wrote:
On Tue, Dec 10, 2013 at 08:20:17AM +0100, Per Jessen wrote:
That's what I had in mind - just a warning somewhere appropriate when no profile is included (or not marked as "not needed").
Probably not all packages, only those with SUID/SGID binaries or network daemons. But while it is easy to recognize the former, I doubt recognizing the latter can be automated.
All packages would be a nightmare, impossible to handle. - -- Cheers, Carlos E. R. (from 12.3 x86_64 "Dartmouth" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlKm7MYACgkQtTMYHG2NR9W2ogCfX8ourCtXxQDgCtDMbOyC/j9F FKcAoJDNiRRXKXdEKELaUji3WpjVIC3k =Mbci -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Monday 09 December 2013 16:44:37 Claudio Freire wrote:
On Mon, Dec 9, 2013 at 5:29 AM, Sascha Peilicke <speilicke@suse.com> wrote:
Running "aa-logprof" is no big deal for an experienced admin, but having
ready-to-go apparmor profiles would make life easier for the newbie.
Haha, good one. I have seen several profiles created by "experienced admins" and its really hard to not open up more than you have too. Do you know why we switched it off by default in the first place?
False sense of security due to bad profiles?
Unfortunately, yes. Part two was apparmor's opaqueness for the (desktop) end user. I think the latter point is mostly solved since cboltz did a hell of a job updating / fixing apparmor profiles. Still, I don't think enabling by default provides much value out of the box. Therefore we have far to little profiles available. I'd personally favor the current opt-in approach. People with security demands can probably <strike>copy-paste</strike>carefully create profiles themselves that are tied to their specific environment. Generic profiles for everything are always too loose for somebody and to strict for somebody else.
I would like, however, that packagers were encouraged (while not forced) to provide profiles.
I would like that too. However, so far this didn't really happen.
Good ones or not, that should be decided in a review by the security team I'd guess.
Good point, the review team can definitely ask security when apparmor profiles are added or changed. However, this can only be informal. We can't decline Factory submissions because the apparmor profile is wrong unless we declare that a goal for the distro. -- With kind regards, Sascha Peilicke SUSE Linux GmbH, Maxfeldstr. 5, D-90409 Nuernberg, Germany GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tue, Dec 10, 2013 at 5:36 AM, Sascha Peilicke <speilicke@suse.com> wrote:
Good ones or not, that should be decided in a review by the security team I'd guess.
Good point, the review team can definitely ask security when apparmor profiles are added or changed. However, this can only be informal. We can't decline Factory submissions because the apparmor profile is wrong unless we declare that a goal for the distro.
Luckily, we recently got comments on SR :-) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Sun, Dec 08, 2013 at 12:43:51PM +0100, Per Jessen wrote:
Now that we have reverted to having apparmor enabled by default, shouldn't we also require (or least suggest) that all packages include a suitable apparmor profile? Running "aa-logprof" is no big deal for an experienced admin, but having ready-to-go apparmor profiles would make life easier for the newbie.
We tried to push this some years ago and it did not work out. It was just a bit hard for various services that need to write to configurable locations. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (6)
-
Carlos E. R. -
Claudio Freire -
Marcus Meissner -
Michal Kubecek -
Per Jessen -
Sascha Peilicke