Re: goals for hardening Debian: ideas and help wanted
On Thu, 24 Apr 2014, Steve Langasek wrote:
The apparmor policies in Debian apply a principle of minimal harm, confining
only those services for which someone has taken the time to verify the
correct profile. There are obviously pros and cons to each approach to MAC,
which I'm not interested in arguing about; but one of the pros of the
approach taken for apparmor is that all software *does* continue to work out
of the box. If you found it otherwise, I think you should be filing a bug
report against apparmor.
Good to know, actually I had tried apparmor quite some time ago and did not
try again. I will give it another spin as soon as I can.
However, I do not agree that I should file bugs against apparmor if a debian
package does not work properly, it should go to the package manager (and
maybe cc to some apparmor expert team). It cannot be the maintainer(s) of
apparmor to have to shoulder the effort of creating and maintaining profiles
for all debian packages. They may be called in for support, but regular
package maintainers should be involved IMHO, otherwise it will never really
take off and provide significantly better security.
Thanks for the information.
Giacomo
--
_________________________________________________________________
Giacomo Mulas <gmulas@oa-cagliari.inaf.it>
_________________________________________________________________
INAF - Osservatorio Astronomico di Cagliari
via della scienza 5 - 09047 Selargius (CA)
tel. +39 070 71180244
mob. : +39 329 6603810
_________________________________________________________________
"When the storms are raging around you, stay right where you are"
(Freddy Mercury)
_________________________________________________________________
Reply to: