Re: [apparmor] Let's enable AppArmor by default (why not?)
On Mon, Nov 20, 2017 at 07:01:29PM +0100, intrigeri wrote: > Wouter Verhelst: > > It would be awesome if you could also include some documentation in the > > style "I'm a Debian package maintainer and the apparmor profile for some > > of the binaries in one of my packages is buggy, how can I fix it?" > > or "I'm a Debian package maintainer and I'd like to write an > > apparmor profile for one of the binaries in my package, where do > > I start". > > Some of this doc has been written by Ulrike Uhlig a few years ago: > https://wiki.debian.org/AppArmor/Contribute#Ship_an_AppArmor_profile_in_.22your.22_package Oh, great, didn't know that. Thanks. (minor nitpick would be that perhaps it might make sense to link to that page from somewhere inside /usr/share/doc or thereabouts, but that's just a detail) -- Could you people please use IRC like normal people?!? -- Amaya Rodrigo Sastre, trying to quiet down the buzz in the DebConf 2008 Hacklab -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] Let's enable AppArmor by default (why not?)
Wouter Verhelst: > It would be awesome if you could also include some documentation in the > style "I'm a Debian package maintainer and the apparmor profile for some > of the binaries in one of my packages is buggy, how can I fix it?" > or "I'm a Debian package maintainer and I'd like to write an > apparmor profile for one of the binaries in my package, where do > I start". Some of this doc has been written by Ulrike Uhlig a few years ago: https://wiki.debian.org/AppArmor/Contribute#Ship_an_AppArmor_profile_in_.22your.22_package Cheers, -- intrigeri -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] Let's enable AppArmor by default (why not?)
On 11/20/2017 08:06 AM, daniel curtis wrote: > Hello > > In His answer about removing the profile etc., Mr. John Johansen wrote, that > "it is important to do removal before adding the symlink (...)" [see 1.] > > However, according to the Ubuntu "AppArmor Community Help Wiki" [see 2.] > users should first make a symlink via ln(1) command and next use an > apparmor_parser(8) utility along with '-R' option. So, this is the opposite > of what Mr. Johansen has wrote. > > I thought, that maybe in such a situation Community Help Wiki should be > updated to contain a proper way to disable one profile. What do you think? By > the way; I have always used the method mentioned on Wiki - without problems. > > But now, thanks to Mr. Johansen, I will first remove profile before adding > symlink. > >It looks like that has been fixed, so my suggested ordering isn't required, >and the other ordering is even slightly preferred as adding the symlink first >will keep a racing profile load/restart for reloading the profile right after >you remove it. It used to be even on profile removal the symlink would be used >resulting in the removal not happening. I guess I forgot about that being >fixed. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] AppArmor dependency on python
Hi Tyler and John, *The majority of the profile manipulation tools are now written in python.* Could you please provide more detailed information about these tools? Like a list, at least. *$ (cd libraries/libapparmor && ./autogen.sh && ./configure \&& make && make check) && \ (cd binutils && make && make check) && \ (cd parser && make)* Thank you, I will try. 2017-11-17 21:06 GMT+02:00 Tyler Hicks: > On 11/17/2017 12:57 PM, John Johansen wrote: > > On 11/17/2017 01:33 AM, Viacheslav Salnikov wrote: > >> Hi guys, > >> > >> I have a question about apparmor and its dependency from python. > >> I'm using it with Yocto, apparmor version is 2.11.0. > >> > >> Except*aa-easyprof*, does apparmor or its libraries and utilities use > python for something? I am talking not only about execution but also about > compilation, installing etc. > >> > > the very base of apparmor, parser, libraries, some basic tools > aa-enabled, aa-exec do not use python, this allows for minimal installs > with very few dependencies. > > You should be able to build the library, parser, and binutils without > Python. Your build commands would look something like: > > $ (cd libraries/libapparmor && ./autogen.sh && ./configure \ >&& make && make check) && \ > (cd binutils && make && make check) && \ > (cd parser && make) > > You won't be able to run `make check` in parser/ as some of the tests > depend on Python (and some Perl). > > Tyler > > -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] Let's enable AppArmor by default (why not?)
Hello In His answer about removing the profile etc., Mr. John Johansen wrote, that "it is important to do removal before adding the symlink (...)" [see 1.] However, according to the Ubuntu "AppArmor Community Help Wiki" [see 2.] users should first make a symlink via ln(1) command and next use an apparmor_parser(8) utility along with '-R' option. So, this is the opposite of what Mr. Johansen has wrote. I thought, that maybe in such a situation Community Help Wiki should be updated to contain a proper way to disable one profile. What do you think? By the way; I have always used the method mentioned on Wiki - without problems. But now, thanks to Mr. Johansen, I will first remove profile before adding symlink. Best regards, Thanks. _ [1] https://lists.ubuntu.com/archives/apparmor/2017-November/011314.html [2] https://help.ubuntu.com/community/AppArmor#Disable_one_profile . . -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor