Feature changed by: ich mich (yetanothernoob) Feature #312927, revision 4 Title: Use AppArmor or SELinux for every (suse) package openSUSE 12.1: Unconfirmed Priority Requester: Neutral + openSUSE Distribution: Unconfirmed + Priority + Requester: Neutral Requested by: ich mich (yetanothernoob) Partner organization: openSUSE.org Description: It would be nice to add apparmor or selinux profiles to every rpm package and , of course, use them! It would let suse become one of the most secure linux systems out there. And the best: the user just installs a package and hasen't to care about anything ;) But it would also need a secure (GUI) "Permission Asker", like windows and of course an easy to use frontend for editing profiles (just easier than the current yast one) Sorry for my bad english, hope anyone got what i mean :D Use Case: if you take eg firefox: it's allowed to read and modify EVERYTHING in your home directory and it also can read all system files...but in fact it just needs to have write access to your ~/Downloads directory...if someone hacks firefox its really useless, because he could just copy a file to downloads (if you don't allow firefox to delete files he may gets very frustrated xD) if you apply this "app armor" for every binary on your system it's nearly impossible hacking it (again, sorry for my bad english) Business case (Partner benefit): openSUSE.org: Because suse should be REALLY secure without getting in the users way Discussion: #1: ich mich (yetanothernoob) (2011-11-01 16:08:52) ... -- openSUSE Feature: https://features.opensuse.org/312927

Feature changed by: Roger Luedecke (Shadowolf7) Feature #312927, revision 9 Title: Use AppArmor or SELinux for every (suse) package openSUSE Distribution: Unconfirmed Priority Requester: Neutral Requested by: ich mich (yetanothernoob) Partner organization: openSUSE.org Description: It would be nice to add apparmor or selinux profiles to every rpm package and , of course, use them! It would let suse become one of the most secure linux systems out there. And the best: the user just installs a package and hasen't to care about anything ;) But it would also need a secure (GUI) "Permission Asker", like windows and of course an easy to use frontend for editing profiles (just easier than the current yast one) Sorry for my bad english, hope anyone got what i mean :D Use Case: if you take eg firefox: it's allowed to read and modify EVERYTHING in your home directory and it also can read all system files...but in fact it just needs to have write access to your ~/Downloads directory...if someone hacks firefox its really useless, because he could just copy a file to downloads (if you don't allow firefox to delete files he may gets very frustrated xD) if you apply this "app armor" for every binary on your system it's nearly impossible hacking it (again, sorry for my bad english) Business case (Partner benefit): openSUSE.org: Because suse should be REALLY secure without getting in the users way Discussion: #1: ich mich (yetanothernoob) (2011-11-01 16:08:52) ... + #2: Roger Luedecke (shadowolf7) (2011-11-08 03:33:51) + Not feasible. Especially for Web Browsers. -- openSUSE Feature: https://features.opensuse.org/312927

Feature changed by: Paul Parker (paulparker) Feature #312927, revision 11 Title: Use AppArmor or SELinux for every (suse) package openSUSE Distribution: Unconfirmed Priority Requester: Neutral Requested by: ich mich (yetanothernoob) Partner organization: openSUSE.org Description: It would be nice to add apparmor or selinux profiles to every rpm package and , of course, use them! It would let suse become one of the most secure linux systems out there. And the best: the user just installs a package and hasen't to care about anything ;) But it would also need a secure (GUI) "Permission Asker", like windows and of course an easy to use frontend for editing profiles (just easier than the current yast one) Sorry for my bad english, hope anyone got what i mean :D Use Case: if you take eg firefox: it's allowed to read and modify EVERYTHING in your home directory and it also can read all system files...but in fact it just needs to have write access to your ~/Downloads directory...if someone hacks firefox its really useless, because he could just copy a file to downloads (if you don't allow firefox to delete files he may gets very frustrated xD) if you apply this "app armor" for every binary on your system it's nearly impossible hacking it (again, sorry for my bad english) Business case (Partner benefit): openSUSE.org: Because suse should be REALLY secure without getting in the users way Discussion: #1: ich mich (yetanothernoob) (2011-11-01 16:08:52) ... #2: Roger Luedecke (shadowolf7) (2011-11-08 03:33:51) Not feasible. Especially for Web Browsers. #3: ich mich (yetanothernoob) (2011-11-08 19:55:28) (reply to #2) why? + #4: Paul Parker (paulparker) (2013-03-02 01:33:15) + Warning: am NON-Technical user ;-) Installation of new version of + openSUSE needs start at basic security level. Earlier openSUSE came + with apparmour installed and preconfigured, now each user needs act to + install and configure. Selinux also needs users install and set up. + Businesses with specialist technical staff to do these things, leaves + out the many other users. Other uses, particularly we NON-Technical + types. depend on both Documentation and Forums, to improve our basic + security. + Should "Security" be a specific branch in user forums ? + Security needs be central to everything done on the computer, else + users making passive decision their content available for everyone else + to read. -- openSUSE Feature: https://features.opensuse.org/312927

Feature changed by: Christian Boltz (cboltz) Feature #312927, revision 15 Title: Use AppArmor or SELinux for every (suse) package openSUSE Distribution: Unconfirmed Priority Requester: Neutral Requested by: ich mich (yetanothernoob) Partner organization: openSUSE.org Description: It would be nice to add apparmor or selinux profiles to every rpm package and , of course, use them! It would let suse become one of the most secure linux systems out there. And the best: the user just installs a package and hasen't to care about anything ;) But it would also need a secure (GUI) "Permission Asker", like windows and of course an easy to use frontend for editing profiles (just easier than the current yast one) Sorry for my bad english, hope anyone got what i mean :D Use Case: if you take eg firefox: it's allowed to read and modify EVERYTHING in your home directory and it also can read all system files...but in fact it just needs to have write access to your ~/Downloads directory...if someone hacks firefox its really useless, because he could just copy a file to downloads (if you don't allow firefox to delete files he may gets very frustrated xD) if you apply this "app armor" for every binary on your system it's nearly impossible hacking it (again, sorry for my bad english) Business case (Partner benefit): openSUSE.org: Because suse should be REALLY secure without getting in the users way Discussion: #1: ich mich (yetanothernoob) (2011-11-01 16:08:52) ... #2: Roger Luedecke (shadowolf7) (2011-11-08 03:33:51) Not feasible. Especially for Web Browsers. #3: ich mich (yetanothernoob) (2011-11-08 19:55:28) (reply to #2) why? #4: Paul Parker (paulparker) (2013-03-02 01:33:15) Warning: am NON-Technical user ;-) Installation of new version of openSUSE needs start at basic security level. Earlier openSUSE came with apparmour installed and preconfigured, now each user needs act to install and configure. Selinux also needs users install and set up. Businesses with specialist technical staff to do these things, leaves out the many other users. Other uses, particularly we NON-Technical types. depend on both Documentation and Forums, to improve our basic security. Should "Security" be a specific branch in user forums ? Security needs be central to everything done on the computer, else users making passive decision their content available for everyone else to read. #5: Stakanov Schufter (stakanov) (2013-03-02 08:11:41) (reply to #4) @rodger luedeke: I think you really have a problem there and he really has some argument. I am a "half technical user" that is I can do quite some about technical, at least for a person not working in IT. Now, when I was to Fosdem 2012 the openSUSE guy there was proud to say that AppArmour was not even installed by default any more (and nobody would notice - and he seamed really happy about that). I tried Tomoyo with the current 12.2 but the tomoyo-tools are outdated and cause a kernel- panik. A bug-report was done but currently nothing changed. And even when I follow your argument that the system default should be for the noop, why are the profiles for very important and vulnerable application (like the browsers) just not up to date and, if present, very permissive in default (I do not say they should be activated by deafault, but present yes). Try to install apparmor in a base system and do aa-unconfined. You will be surprised what base settings allow. What to say then about the fact that a user finds the "suckit"-rootkit false positive warning on rkhunter since about a year..... really not feasible? Or not "desired". And the settings of zeroconf and the choice to have samba installed by default....Even audit is not installed any more as default - but is mentioned in yast "checklist" for safe system settings. At least we could provide working updated packages to allow a normal user to do a safe install (under his responsibility). He should then also find "tfm" somewhere. Would already be something. So as I do not second the proposal because a default activation can be tricky, I would suppose: please provide at least working packages and a understandable logical line of thought to make the distribution safer for who wants to go that way. + #6: Christian Boltz (cboltz) (2015-05-06 21:00:43) + If someone can provide additional AppArmor profiles, feel free to send + them to the package maintainer or to me (I'm maintaining the AppArmor + package) - preferred methods are a submit request in the buildservice + or a bugreport with the profile attached. + Unfortunately, there are cases that make having a profile quite hard. + Firefox is a good example - it has a "save as..." dialog, which means + users might want to save files with any names at any place where they + have write permissions. So we can either have a restrictive profile + that allows saving files only in ~/download or so (which will result in + user complaints) or we could allow to save files everywhere (which + means the profile wouldn't be too useful). + Having a separate package with strict profiles ("apparmor-profiles- + paranoid"?) could be a way to go - those who want to secure their + system could - and those who don't care could continue to save their + files whereever they want. -- openSUSE Feature: https://features.opensuse.org/312927

Feature changed by: Christian Boltz (cboltz) Feature #312927, revision 18 Title: Use AppArmor or SELinux for every (suse) package - openSUSE Distribution: New + openSUSE Distribution: Rejected by Christian Boltz (cboltz) + reject reason: Not really doable Priority Requester: Neutral Requested by: ich mich (yetanothernoob) Partner organization: openSUSE.org Description: It would be nice to add apparmor or selinux profiles to every rpm package and , of course, use them! It would let suse become one of the most secure linux systems out there. And the best: the user just installs a package and hasen't to care about anything ;) But it would also need a secure (GUI) "Permission Asker", like windows and of course an easy to use frontend for editing profiles (just easier than the current yast one) Sorry for my bad english, hope anyone got what i mean :D Use Case: if you take eg firefox: it's allowed to read and modify EVERYTHING in your home directory and it also can read all system files...but in fact it just needs to have write access to your ~/Downloads directory...if someone hacks firefox its really useless, because he could just copy a file to downloads (if you don't allow firefox to delete files he may gets very frustrated xD) if you apply this "app armor" for every binary on your system it's nearly impossible hacking it (again, sorry for my bad english) Business case (Partner benefit): openSUSE.org: Because suse should be REALLY secure without getting in the users way Discussion: #1: ich mich (yetanothernoob) (2011-11-01 16:08:52) ... #2: Roger Luedecke (shadowolf7) (2011-11-08 03:33:51) Not feasible. Especially for Web Browsers. #3: ich mich (yetanothernoob) (2011-11-08 19:55:28) (reply to #2) why? #4: Paul Parker (paulparker) (2013-03-02 01:33:15) Warning: am NON-Technical user ;-) Installation of new version of openSUSE needs start at basic security level. Earlier openSUSE came with apparmour installed and preconfigured, now each user needs act to install and configure. Selinux also needs users install and set up. Businesses with specialist technical staff to do these things, leaves out the many other users. Other uses, particularly we NON-Technical types. depend on both Documentation and Forums, to improve our basic security. Should "Security" be a specific branch in user forums ? Security needs be central to everything done on the computer, else users making passive decision their content available for everyone else to read. #5: Stakanov Schufter (stakanov) (2013-03-02 08:11:41) (reply to #4) @rodger luedeke: I think you really have a problem there and he really has some argument. I am a "half technical user" that is I can do quite some about technical, at least for a person not working in IT. Now, when I was to Fosdem 2012 the openSUSE guy there was proud to say that AppArmour was not even installed by default any more (and nobody would notice - and he seamed really happy about that). I tried Tomoyo with the current 12.2 but the tomoyo-tools are outdated and cause a kernel- panik. A bug-report was done but currently nothing changed. And even when I follow your argument that the system default should be for the noop, why are the profiles for very important and vulnerable application (like the browsers) just not up to date and, if present, very permissive in default (I do not say they should be activated by deafault, but present yes). Try to install apparmor in a base system and do aa-unconfined. You will be surprised what base settings allow. What to say then about the fact that a user finds the "suckit"-rootkit false positive warning on rkhunter since about a year..... really not feasible? Or not "desired". And the settings of zeroconf and the choice to have samba installed by default....Even audit is not installed any more as default - but is mentioned in yast "checklist" for safe system settings. At least we could provide working updated packages to allow a normal user to do a safe install (under his responsibility). He should then also find "tfm" somewhere. Would already be something. So as I do not second the proposal because a default activation can be tricky, I would suppose: please provide at least working packages and a understandable logical line of thought to make the distribution safer for who wants to go that way. #6: Christian Boltz (cboltz) (2015-05-06 21:00:43) If someone can provide additional AppArmor profiles, feel free to send them to the package maintainer or to me (I'm maintaining the AppArmor package) - preferred methods are a submit request in the buildservice or a bugreport with the profile attached. Unfortunately, there are cases that make having a profile quite hard. Firefox is a good example - it has a "save as..." dialog, which means users might want to save files with any names at any place where they have write permissions. So we can either have a restrictive profile that allows saving files only in ~/download or so (which will result in user complaints) or we could allow to save files everywhere (which means the profile wouldn't be too useful). Having a separate package with strict profiles ("apparmor-profiles- paranoid"?) could be a way to go - those who want to secure their system could - and those who don't care could continue to save their files whereever they want. + #7: Christian Boltz (cboltz) (2017-05-25 11:08:02) + As I already said, things are not always easy (especially if an + application has a "save as..." menu item). + Nevertheless, additional AppArmor profiles are always welcome - but we + don't need an open feature request for that ;-) -- openSUSE Feature: https://features.opensuse.org/312927