[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [opensuse-security] Apparmor suggestion to include more profiles
Am Dienstag, 31. Mai 2016, 02:51:11 CEST schrieb Malte Gell:
> Am 29.05.2016 um 15:37 schrieb Jean-Christophe Baptiste:
> > It is a nice thing that openSUSE includes apparmor by default. I
> > started to play with it on Leap 42.1.
> > However, I feel it is a little short in term of profiles for the
> > desktop (all profiles are server oriented).>
> > (.....)
> You´re right, SUSE never came with many really useful AA profiles.
> On the other hand, in my mind you always need to change AA profiles to
> meet your demands.
Did you also need any changes in the profiles that are enabled by
default? If so, please tell me - in many (not all) cases I consider this
to be a bug in the profile ;-)
> I took profiles for Firefox and Thunderbird from the web and adapted
> them for my needs. For other apps I created profiles from scratch.
> I think no profiles may fit to your needs, you virtually always need
> to change them.
Well, at least if you want them as strict as possible.
> I suggest to create a new folder /etc/apparmor.d/templates and
> openSUSE puts all new profiles there and the user can enable them on
There is /usr/share/apparmor/extra-profiles/ with several profiles, but
because nearly nobody uses them, they are mostly bitrotting :-( so
please don't expect too much.
The profiles from there should in theory be proposed when you start a new
profile with aa-genprof - but I just noticed this is broken :-(
I sent a fix for this upstream, so this will be fixed in the next AppArmor
releases (2.9.4, 2.10.2 and 2.11, whenever they'll get released, will
contain the fix).
If you want to fix this yourself, feel free to grab the patch from
> Another good idea would be, if you have created some profiles, post
> them here, so other users can make use of them.
> There should be a SUSE Wiki where we can post our custom made
I agree that it would be good to have a place where profiles can be
shared, but I'm not sure if the wiki is a good place. The problem I see
is that the wiki makes it too easy to do malicious modifications to a
There are plans to setup a cross-distribution repo for profiles
(I discussed this with some Debian people at last year's DebConf, and if
we are lucky, they'll work on it at DebConf this year. Please don't take
this as a promise - I reminded them about the repo, but I don't have an
Until this repo is available, posting profiles to this mailinglist sounds
good to me.
If it turns out that the list gets flooded by AppArmor profiles, we'll
need to search for a different solution, but that would be a luxery
> Can we agree to disagree, or do we need to vote in the
> next meeting? ;-)
Wait, you want to start a discussion on which voting system
(http://en.wikipedia.org/wiki/Voting_system) to use? :)
[> Christian Boltz and Steve Beattie in apparmor]
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx