Re: goals for hardening Debian: ideas and help wanted

2014-04-25 Thread Cameron Norman 
On Thu, Apr 24, 2014 at 9:49 AM, Giacomo Mulas
giacomo.mula...@gmail.com wrote:
 On Thu, 24 Apr 2014, Steve Langasek wrote:

 The apparmor policies in Debian apply a principle of minimal harm,
 confining
 only those services for which someone has taken the time to verify the
 correct profile.  There are obviously pros and cons to each approach to
 MAC,
 which I'm not interested in arguing about; but one of the pros of the
 approach taken for apparmor is that all software *does* continue to work
 out
 of the box.  If you found it otherwise, I think you should be filing a bug
 report against apparmor.


 Good to know, actually I had tried apparmor quite some time ago and did not
 try again. I will give it another spin as soon as I can.

 However, I do not agree that I should file bugs against apparmor if a debian
 package does not work properly, it should go to the package manager (and
 maybe cc to some apparmor expert team).  It cannot be the maintainer(s) of
 apparmor to have to shoulder the effort of creating and maintaining profiles
 for all debian packages.  They may be called in for support, but regular
 package maintainers should be involved IMHO, otherwise it will never really
 take off and provide significantly better security.

Both of you have misunderstood each other.

Steve, Giacomo was advocating the creation of profiles/configurations
for all debian packages and considering it a serious bug if that was
not done.

Giacomo, Steve thought that you meant that unconfined applications
should work perfectly when the user is using a MAC, and not that they
should integrate with the MAC mechanism. So he was trying to explain
how AppArmor only interferes with explicitly configured (by the
package maintainer or user) profiles, and would not cause any harm to
non-confined applications. This is forgivably irrelevant, because you
are talking about confined applications.

Best regards,
--
Cameron Norman


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/calzwfrlhuawxatvzeb46jbuvozm54crpxac0ksx_wajx4pd...@mail.gmail.com

Re: goals for hardening Debian: ideas and help wanted

2014-04-23 Thread Cameron Norman 
El Wed, 23 de Apr 2014 a las 7:57 PM, Paul Wise p...@debian.org 
escribió:

Hi all,

I have written a non-exhaustive list of goals for hardening the Debian
distribution, the Debian project and computer systems of the Debian
project, contributors and users.

https://wiki.debian.org/Hardening/Goals

If you have more ideas, please add them to the wiki page.

If you have more information, please add it to the wiki page.

If you would like to help, please choose an item and start work.



Would the inclusion of more AppArmor profiles be applicable?

Thanks,
--
Cameron Norman