Re: goals for hardening Debian: ideas and help wanted
On Thu, Apr 24, 2014 at 9:49 AM, Giacomo Mulas
<giacomo.mulas84@gmail.com> wrote:
> On Thu, 24 Apr 2014, Steve Langasek wrote:
>
>> The apparmor policies in Debian apply a principle of minimal harm,
>> confining
>> only those services for which someone has taken the time to verify the
>> correct profile. There are obviously pros and cons to each approach to
>> MAC,
>> which I'm not interested in arguing about; but one of the pros of the
>> approach taken for apparmor is that all software *does* continue to work
>> out
>> of the box. If you found it otherwise, I think you should be filing a bug
>> report against apparmor.
>
>
> Good to know, actually I had tried apparmor quite some time ago and did not
> try again. I will give it another spin as soon as I can.
>
> However, I do not agree that I should file bugs against apparmor if a debian
> package does not work properly, it should go to the package manager (and
> maybe cc to some apparmor expert team). It cannot be the maintainer(s) of
> apparmor to have to shoulder the effort of creating and maintaining profiles
> for all debian packages. They may be called in for support, but regular
> package maintainers should be involved IMHO, otherwise it will never really
> take off and provide significantly better security.
Both of you have misunderstood each other.
Steve, Giacomo was advocating the creation of profiles/configurations
for all debian packages and considering it a serious bug if that was
not done.
Giacomo, Steve thought that you meant that unconfined applications
should work perfectly when the user is using a MAC, and not that they
should integrate with the MAC mechanism. So he was trying to explain
how AppArmor only interferes with explicitly configured (by the
package maintainer or user) profiles, and would not cause any harm to
non-confined applications. This is forgivably irrelevant, because you
are talking about confined applications.
Best regards,
--
Cameron Norman
Reply to: