openSUSE Security May 2016

security@lists.opensuse.org

7 participants
2 discussions

[opensuse-security] Apparmor suggestion to include more profiles
by Jean-Christophe Baptiste 03 Jun '16

03 Jun '16

Hello, It is a nice thing that openSUSE includes apparmor by default. I started to play with it on Leap 42.1. However, I feel it is a little short in term of profiles for the desktop (all profiles are server oriented). In comparison, I retrieved the profiles in Ubuntu : bzr co lp:apparmor-profiles They have some profiles for chromium, firefox, empathy, totem, thunderbird and evolution among others. Some big candidates are still missing though, like Wireshark. I feel such profiles are important, because these applications are rather exposed regarding modern threats. Do you think it would be legally possible to include them more or less as is in Leap 42.2 and all future releases? Or at least, is there any plan to develop more profiles for the desktop? Thank you in advance for your reply, Best regards, Jean-Christophe

8 19

[opensuse-security] SuSEfirewall2 and an non local transparent squid proxy
by Hans-Peter Jansen 07 May '16

07 May '16

Hi, in a LAN setup, there's a fairly current squid proxy running (3.5.17), which is NOT on the firewall, while the FW is located on a low end system running an older openSUSE with SuSEfirewall2. FW_DEV_EXT="dsl0" FW_DEV_INT="eth0" e.g. the usual simple DSL <-> masqueraded LAN setup. Using the xxxx_proxy environment settings work fine with collaborating systems, but I would like to force all local systems through the squid. I tried to add something similar to /etc/sysconfig/scripts/SuSEfirewall2-custom: iptables -t nat -A PREROUTING -i eth0 -s ! squid-server -p tcp --dport 80 -j DNAT --to squid-server:3128 iptables -t nat -A POSTROUTING -o eth0 -s local-net -d squid-server -j SNAT --to 172.16.23.1 iptables -A FORWARD -s local-net -d squid-server -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT in the fw_custom_after_antispoofing hook, and others, but failed so far. Source: http://tldp.org/HOWTO/TransparentProxy-6.html Any other way to archive something similar is welcomed of course, e.g. redirect 0/0:80 to squid-server:3128, but squid-server itself. Thanks, Pete -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

1 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

1997

1996

openSUSE Security May 2016