It is a nice thing that openSUSE includes apparmor by default. I started to play with it on Leap 42.1.
However, I feel it is a little short in term of profiles for the desktop (all profiles are server oriented).
In comparison, I retrieved the profiles in Ubuntu :
bzr co lp:apparmor-profiles
They have some profiles for chromium, firefox, empathy, totem, thunderbird and evolution among others. Some big candidates are still missing though, like Wireshark.
I feel such profiles are important, because these applications are rather exposed regarding modern threats.
Do you think it would be legally possible to include them more or less as is in Leap 42.2 and all future releases?
Or at least, is there any plan to develop more profiles for the desktop?
Thank you in advance for your reply,
in a LAN setup, there's a fairly current squid proxy running (3.5.17), which
is NOT on the firewall, while the FW is located on a low end system running
an older openSUSE with SuSEfirewall2.
e.g. the usual simple DSL <-> masqueraded LAN setup.
Using the xxxx_proxy environment settings work fine with collaborating
systems, but I would like to force all local systems through the squid.
I tried to add something similar to /etc/sysconfig/scripts/SuSEfirewall2-custom:
iptables -t nat -A PREROUTING -i eth0 -s ! squid-server -p tcp --dport 80 -j DNAT --to squid-server:3128
iptables -t nat -A POSTROUTING -o eth0 -s local-net -d squid-server -j SNAT --to 172.16.23.1
iptables -A FORWARD -s local-net -d squid-server -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT
in the fw_custom_after_antispoofing hook, and others, but failed so far.
Any other way to archive something similar is welcomed of course, e.g.
redirect 0/0:80 to squid-server:3128, but squid-server itself.
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org