Hello, Am Donnerstag, 2. Juni 2016, 07:22:25 CEST schrieb Malte Gell:
Am 01.06.2016 um 02:16 schrieb Christian Boltz:
(...) You´re right, SUSE never came with many really useful AA profiles. On the other hand, in my mind you always need to change AA profiles to meet your demands.
Did you also need any changes in the profiles that are enabled by default? If so, please tell me - in many (not all) cases I consider this to be a bug in the profile ;-)
No, actually I never looked closer at the default profiles.... I´ve been more keen on user space programms like Firefox, VLC etc. I guess on desktop systems this may be the first doors an attacker would break into.
Agreed, but as I already pointed out in another mail, it's close to impossible to ship default profiles for them that are safe and don't annoy users.
Where can you make suggestions for changes to default profiles/abstractions? Here or bugzilla?
I'm everywhere ;-) but bugzilla has the advantage that nothing gets lost.
I agree that it would be good to have a place where profiles can be shared, but I'm not sure if the wiki is a good place. The problem I see is that the wiki makes it too easy to do malicious modifications to a profile.
Can a certain wiki site not be restricted to allow only certain people to post stuff?
In theory yes, but managing access permissions in MediaWiki is a nightmare if you need more than the usual groups (basically admins and "normal" users). To make things worse, MediaWiki has a browsable version history, but not a "blame" feature to find out who last edited a line.
Doesn´t openSUSE have a website that is run "normally" without wiki? So people could show and discuss their AA profiles here on the list and an admin looks over them and puts them on a static non-wiki web site?
Review/moderation is an important point. Your text sounds like you are describing a git repo ;-) which would be a much better solution than a static web page.
There are plans to setup a cross-distribution repo for profiles (I discussed this with some Debian people at last year's DebConf (...) In the long run that would be best, so all Linux users can benefit, no matter what distribution.
I fully agree. The profiles are typically useable everywhere if you honor some small details (for example /lib/ vs. /lib64/ -> use /lib*/). BTW: Even if it isn't one of the stated goals of AppArmor, it more than once was helpful to get cross-distribution collaboration improved. And I'm not only talking about sharing AppArmor profiles here ;-) [1] Regards, Christian Boltz [1] I did my "AppArmor Crash Course" talk at DebConf last year. I was the only speaker with an openSUSE t-shirt ;-) and had a funny "Any relations between Debian and openSUSE" slide. Next month we'll have two speakers from DebConf15 at the openSUSE conference. I'm sure the things they work on are also relevant, useful and interesting for openSUSE :-) -- Bitte in Zukunft keine Stasi-Vergleiche mehr. Das verharmlost die gegenwärtige Situation. [purchaser auf http://www.heise.de/newsticker/foren//forum-290681/msg-26347022/read/] -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org