[Apparmor-dev] [rfr] Update to profiles: klogd and ntpd
for ubuntu.
Vincent Danen
vdanen at annvix.org
Sat Jun 2 00:21:12 MDT 2007
* Seth Arnold <seth.arnold at suse.de> [2007-06-01 17:33:36 -0700]:
>> > Something that we're going to do in SUSE is split the profiles out of
>> > the monolithic apparmor-profiles package, and put them into their
>> > respective packages.
>> We have the same issue in ubuntu, how to package profiles.
>> We thought about 3 possibilities :
>> 1. in the application package. This requires to educate package maintainers
>> about security policy frameworks.
>> 2. in one package policy. The policy maintainer has to track all
>> application changes.
>> 3. one package policy for each application. This may lead to lots of small
>> packages.
>>
>> For now, we plan to follow 2. We'll see how things will evolve.
>
>Having tried all three, I can tell you that none of them is ideal.
>
>Putting them in the hands of package maintainers (may) be nice, though,
>since I am definitely not an expert on all the applications we ship. I
>hope the package maintainers will see it more as a way to reduce
>bugreports than pushing work onto them.. :)
This is what I planned to do with Annvix... each profile will be stored
in the package for which the profile is for. The advantage is that
there won't be any useless profiles kicking around for software that
isn't installed, and the theory that the maintainer knows more about the
program than one single person writing profiles (or multiple people
making lots of changes to a single package) would be more ideal.
If all goes well, this will be the adoption route Mandriva takes when I
(hopefully) convince them to move from RSBAC to AppArmor (although for
that, it's helpful to have my "proof of concept" in place in Annvix
first so that it can be duly illustrated).
--
Vincent Danen @ http://linsec.ca/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-dev/attachments/20070602/0a89db49/attachment.pgp
More information about the Apparmor-dev
mailing list