Hello, Am Dienstag, 31. Mai 2016, 02:51:11 CEST schrieb Malte Gell:
Am 29.05.2016 um 15:37 schrieb Jean-Christophe Baptiste:
It is a nice thing that openSUSE includes apparmor by default. I started to play with it on Leap 42.1.
However, I feel it is a little short in term of profiles for the desktop (all profiles are server oriented).> (.....)
You´re right, SUSE never came with many really useful AA profiles. On the other hand, in my mind you always need to change AA profiles to meet your demands.
Did you also need any changes in the profiles that are enabled by default? If so, please tell me - in many (not all) cases I consider this to be a bug in the profile ;-)
I took profiles for Firefox and Thunderbird from the web and adapted them for my needs. For other apps I created profiles from scratch.
I think no profiles may fit to your needs, you virtually always need to change them.
Well, at least if you want them as strict as possible.
I suggest to create a new folder /etc/apparmor.d/templates and openSUSE puts all new profiles there and the user can enable them on demand.
There is /usr/share/apparmor/extra-profiles/ with several profiles, but because nearly nobody uses them, they are mostly bitrotting :-( so please don't expect too much. The profiles from there should in theory be proposed when you start a new profile with aa-genprof - but I just noticed this is broken :-( I sent a fix for this upstream, so this will be fixed in the next AppArmor releases (2.9.4, 2.10.2 and 2.11, whenever they'll get released, will contain the fix). If you want to fix this yourself, feel free to grab the patch from https://lists.ubuntu.com/archives/apparmor/2016-June/009748.html ;-)
Another good idea would be, if you have created some profiles, post them here, so other users can make use of them.
There should be a SUSE Wiki where we can post our custom made profiles.
I agree that it would be good to have a place where profiles can be shared, but I'm not sure if the wiki is a good place. The problem I see is that the wiki makes it too easy to do malicious modifications to a profile. There are plans to setup a cross-distribution repo for profiles (I discussed this with some Debian people at last year's DebConf, and if we are lucky, they'll work on it at DebConf this year. Please don't take this as a promise - I reminded them about the repo, but I don't have an answer yet.) Until this repo is available, posting profiles to this mailinglist sounds good to me. If it turns out that the list gets flooded by AppArmor profiles, we'll need to search for a different solution, but that would be a luxery problem ;-) Regards, Christian Boltz --
Can we agree to disagree, or do we need to vote in the next meeting? ;-) Wait, you want to start a discussion on which voting system (http://en.wikipedia.org/wiki/Voting_system) to use? :) [> Christian Boltz and Steve Beattie in apparmor]
-- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org