Bug#830502: [pkg-apparmor] Bug#830502: apparmor-profiles: Reconsider what profiles are shipped in /etc/apparmor.d/ and in which mode
On Thu, 2017-08-10 at 17:50 -0400, intrigeri wrote: > > And the long-term goal is that eventually, some of these shared > profiles might become good enough to be shipped in the apparmor > package and enforced by default (and others should simply dropped from > Debian-based distros if nobody cares enough to make them work on > Debian and maintain them proactively). I agree with what Seth said, so I'll only respond on this point. When the profiles are good enough to ship by default, Ubuntu historically has preferred to ship profiles in the package that is under enforcement, since you get the security policy by default (without having to opt-in to another package) and because it allows the maintainer of the package to update the rules (ie, the maintainer of cups need only worry about the cups package as opposed to cups and apparmor). This of course isn't without its problems, but wanted to clarify this point wrt Ubuntu at least. -- Jamie Strandboge | http://www.canonical.com signature.asc Description: This is a digitally signed message part
Bug#830502: [pkg-apparmor] Bug#830502: apparmor-profiles: Reconsider what profiles are shipped in /etc/apparmor.d/ and in which mode
On Thu, Aug 10, 2017 at 05:50:41PM -0400, intrigeri wrote: > Context: this is about the apparmor-profiles package, that has no > reverse-dependency, so this whole thing is not such a big deal (users > [...] > 2. Install *all* the profiles shipped by this package to >/etc/apparmor.d/, set it in complain mode. > >(Once it's been clarified what this package is about, let's smooth >the "get started with contributing to these profiles" process.) The quality levels of the profiles in this package -- and their relevance to modern systems -- is probably too varied at this point to suggest turning them all on in any capacity by default. If Someone were to go through them with an eye towards heavily pruning what should be pruned first, this might be a reasonable idea. I think I'd rather they all be installed on the side though, and perhaps suggested by the tools, if they don't already. It would be nice to have more examples that we're not ashamed of more widely available :) Thanks signature.asc Description: PGP signature