[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#925130: marked as done (release-notes: [buster] AppArmor section is misleading as most profiles are not enforced)

Your message dated Wed, 20 Mar 2019 21:59:37 +0100
with message-id <CAFX5sbyZxPYqzJP6QAmyBSWMaCRTObQ3CKsmS9LEnFnVMeRZxQ@mail.gmail.com>
and subject line Re: [pkg-apparmor] Bug#925130: release-notes: [buster] AppArmor section is misleading as most profiles are not enforced
has caused the Debian Bug report #925130,
regarding release-notes: [buster] AppArmor section is misleading as most profiles are not enforced
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
925130: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925130
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release-notes
Severity: normal
X-Debbugs-Cc: Debian AppArmor Team <pkg-apparmor-team@lists.alioth.debian.org>

Dear Maintainer,

Section 2.2.2 says "Debian buster has AppArmor enabled per default", which
is right. But most profiles are in complain mode.

Maybe something should be written about it?

Regards

Mathieu Parent

--- End Message ---
--- Begin Message --- 
Le mer. 20 mars 2019 à 08:42, intrigeri <intrigeri@debian.org> a écrit :
>
> Control: tag -1 + moreinfo
>
> Hi Mathieu,

Hi intrigeri!

> thanks for caring.
>
> Disclaimer: I didn't read the release notes bits Jonas wrote yet.
>
> Mathieu Parent:
> > But most profiles are in complain mode.
>
> "most" of which set of profiles?

I spoke too fast. On my machine, in
/sys/kernel/security/apparmor/profiles, I have 32 enforce lines and 23
complain lines. This is certainly not "most". And I have
apparmor-profiles installed.

$ sudo grep complain /sys/kernel/security/apparmor/profiles
nvidia_modprobe (complain)
nvidia_modprobe//kmod (complain)
libreoffice-soffice (complain)
nscd (complain)
/usr/lib/chromium-browser/chromium-browser (complain)
/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain)
/usr/lib/chromium-browser/chromium-browser//lsb_release (complain)
/usr/lib/chromium-browser/chromium-browser//xdgsettings (complain)
mdnsd (complain)
libreoffice-oopslash (complain)
syslog-ng (complain)
/usr/sbin/dnsmasq (complain)
/usr/sbin/dnsmasq//libvirt_leaseshelper (complain)
traceroute (complain)
syslogd (complain)
smbd (complain)
nmbd (complain)
smbldap-useradd (complain)
smbldap-useradd///etc/init.d/nscd (complain)
avahi-daemon (complain)
ping (complain)
klogd (complain)
identd (complain)

I'm closing this report.

I'm too late on this for buster, but I think the smbd and nmbd
profiles can be enabled by default in bullseye.

> FTR, in a sid GNOME desktop VM with a few extra packages on top, that
> ship AppArmor profiles (LXC, haveged, libvirt, snapd, tor,
> Thunderbird, torbrowser-launcher), I see:
>
>  - 31 profiles in enforce mode
>  -  9 profiles in complain mode
>
> It seems to me that most packages that ship AppArmor policy
> set it to enforce mode. There are a few exceptions, e.g.:
>
>  - apparmor-profiles: the label on the box explains why and should
>    hopefully discourage the vast majority of users to install it)
>  - Thunderbird
>  - some of the LibreOffice profiles
>
> Thanks again!
>
> Cheers,
> --
> intrigeri

Thank you

Cheers!

-- 
Mathieu

--- End Message ---
Reply to: