On Thu, Apr 24, 2014 at 9:49 AM, Giacomo Mulas
giacomo.mula...@gmail.com wrote:
On Thu, 24 Apr 2014, Steve Langasek wrote:
The apparmor policies in Debian apply a principle of minimal harm,
confining
only those services for which someone has taken the time to verify the
correct profile. There are obviously pros and cons to each approach to
MAC,
which I'm not interested in arguing about; but one of the pros of the
approach taken for apparmor is that all software *does* continue to work
out
of the box. If you found it otherwise, I think you should be filing a bug
report against apparmor.
Good to know, actually I had tried apparmor quite some time ago and did not
try again. I will give it another spin as soon as I can.
However, I do not agree that I should file bugs against apparmor if a debian
package does not work properly, it should go to the package manager (and
maybe cc to some apparmor expert team). It cannot be the maintainer(s) of
apparmor to have to shoulder the effort of creating and maintaining profiles
for all debian packages. They may be called in for support, but regular
package maintainers should be involved IMHO, otherwise it will never really
take off and provide significantly better security.
Both of you have misunderstood each other.
Steve, Giacomo was advocating the creation of profiles/configurations
for all debian packages and considering it a serious bug if that was
not done.
Giacomo, Steve thought that you meant that unconfined applications
should work perfectly when the user is using a MAC, and not that they
should integrate with the MAC mechanism. So he was trying to explain
how AppArmor only interferes with explicitly configured (by the
package maintainer or user) profiles, and would not cause any harm to
non-confined applications. This is forgivably irrelevant, because you
are talking about confined applications.
Best regards,
--
Cameron Norman
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive:
https://lists.debian.org/calzwfrlhuawxatvzeb46jbuvozm54crpxac0ksx_wajx4pd...@mail.gmail.com