[Apparmor-dev] Re: Disable profiles with dpkg-old,
dpkg-new extension and linked from disable dir.
Christian Boltz
apparmor at cboltz.de
Sat Aug 18 05:45:41 MDT 2007
Hello,
Am Dienstag, 14. August 2007 schrieb Steve Beattie:
> On Mon, Aug 13, 2007 at 03:50:36PM -0600, Dominic Reynolds wrote:
> > +++ Mathias Gug [13/08/07 16:12 -0400]:
> > > I've attached a patch that adds profiles that should not be
> > > loaded: * files with dpkg-new, dpkg-old suffix.
> > > * files which have a link in /etc/apparmor.d/disable/.
[...]
> I'm less enthused about the latter change; I understand the desire
> for it. I don't like this particular approach because it means an
> admin needs to check in two locations to see if there's a profile and
> it's not disabled. Another aspect is that, other than knowing to skip
> the disabled profiles, the tools have no knowledge of them and to
> potentially use them as a starting point if an admin decides they do
> want to profile that particular application.
Silly question: Why don't you do it the other way round?
Read: having a directory with symlinks for enabled profiles.
The profiles could then be in a subdirectory of /etc/apparmor.d/.
Hmm, another idea: what about flags=disabled?
BTW: I don't see a real problem with RPM, it recognizes modified
profiles as changed and doesn't touch them. Instead, it puts the
profile from the package in a .rpmnew file which doesn't hurt.
[...]
> As I understand what I've seen of your proposal, the idea is also
> that distributor provided profiles would get installed outside of the
> "enabled" location so that admins can more easily separate out their
> changes from distribution updates (and distribution updates won't
> affect edited profiles or re-enable removed profiles; [...]
I'm not sure if shipping with disabled profiles is a good idea - you
loose lots of security by default. (And: lazy admins won't enable the
profiles - and exactly these people would benefit most from them if
they are also lazy in installing security updates ;-)
Regards,
Christian Boltz
--
> Brauchst Du die sig noch? Ich hab sie nämlich gerade geklaut ;-)
JA!! *uff* ich hab sie noch!!! :)
[> Christian Boltz und David Haller in suse-linux-faq]
More information about the Apparmor-dev
mailing list