Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Apparmor

Hybrid View

  1. #1

    Question Apparmor

    Hello Forum

    I have to admit that I do not know whether this is the right place to ask as there is no security section and therefore I'm posting here - if it was wrong please move my post in the correct section. During the last weeks I have checked different MAC frameworks and I'm still wondering why openSUSE do not have apparmor enabled as there is even a guide how to enable it (https://doc.opensuse.org/documentati....security.html). It is enabled on SLES (which I have too) and I have searched the web for an answer why it is enabled on SLES but not on openSUSE - a lot of changed in apparmor and it seems that development is now mostly done at Ubuntu/Canonical and that could be reason and therefore it is maybe a dead project for openSUSE(SuSE??) and it is better that I should invest time in learning SELinux. However it is it not enabled per default (SDB:SELinux - openSUSE) in openSUSE and therefore I'm uncertain what is the best way to go. I have checked different distributions and RHEL/Fedora are using SELinux (default/enabled), Ubuntu Apparmor (default/enabled), Debian (SELinux, Apparmor, TOMOYO, SMACK can be enabled), SLES (Apparmor/enabled) - is there anybody who can answer my questions or have details about the status/future of apparmor/SELinux in opensuse?? Thank you in advance.

  2. #2
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Apparmor

    On 2013-09-11 21:36, FurciferPardalis wrote:
    >
    > Hello Forum
    >
    > During the last
    > weeks I have checked different MAC frameworks and I'm still wondering
    > why openSUSE do not have apparmor enabled as there is even a guide how
    > to enable it (http://tinyurl.com/pl2pj7l).


    Well, it is a choice you have. It is not enabled by default, not even
    installed. It is up to you to do it.

    It was installed and enabled by default years ago, when AA started
    development by Novel employees. When they went away or were fired, soon
    it was "demoted".

    Selinux was never enabled by default because it was a competitor to
    Novel's apparmor, IMHO. It is packaged, but not configured, that's up to
    you.


    > SMACK can be enabled), SLES (Apparmor/enabled) - is there anybody who
    > can answer my questions or have details about the status/future of
    > apparmor/SELinux in opensuse?? Thank you in advance.


    For that, I think you should ask at the mail lists, where the devs are.
    There is a security mail list; also the factory mail list would be
    appropriate, perhaps.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 12.3 x86_64 "Dartmouth" at Telcontar)

  3. #3

    Default Re: Apparmor

    Thank you for you post and time and I think I have to ask the developers what is scheduled for SLES 12 but I do not think that I will get an information yet. However openSUSE is a different project and I think that I should get a positive answer or more background information why both are frameworks are opt-in and not enabled out of the box.

  4. #4
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Apparmor

    On 2013-09-13 19:06, FurciferPardalis wrote:
    >
    > Thank you for you post and time and I think I have to ask the developers
    > what is scheduled for SLES 12 but I do not think that I will get an
    > information yet. However openSUSE is a different project and I think
    > that I should get a positive answer or more background information why
    > both are frameworks are opt-in and not enabled out of the box.


    But you will not get it here. The forum is a place where users talk,
    there are almost no developers here.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 12.3 x86_64 "Dartmouth" at Telcontar)

  5. #5
    Join Date
    Jul 2008
    Location
    Seattle, WA
    Posts
    17,076

    Default Re: Apparmor

    On Wed, 11 Sep 2013 19:36:05 +0000, FurciferPardalis wrote:

    > It is enabled on SLES (which I have too) and I have searched the web for
    > an answer why it is enabled on SLES but not on openSUSE


    It's much easier to predict what a SLES server will be used for than
    openSUSE. SLES is a server distribution, so there's a fairly limited
    number of rules that need to be set up and enabled.

    Desktop usage, though, is quite different, and having various profiles
    enabled for the desktop might interfere with desktop applications in
    unexpected ways. Better not to inconvenience users who don't have an IT
    background in that regard.

    Just an educated guess on my part - but it seems a reasonable assumption.

    The decision, though, is made by different people for the different
    releases.

    I wouldn't consider AppArmor "dead" in openSUSE/SUSE by any means. It
    does, however, need a more intuitive UI, IMHO.

    Jim

    --
    Jim Henderson
    openSUSE Forums Administrator
    Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

  6. #6
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Apparmor

    On 2013-09-13 19:37, Jim Henderson wrote:
    > I wouldn't consider AppArmor "dead" in openSUSE/SUSE by any means. It
    > does, however, need a more intuitive UI, IMHO.


    Development of the interface is stuck.
    There is a yast interface, incomplete, and ugly. It works partially.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 12.3 x86_64 "Dartmouth" at Telcontar)

  7. #7

    Default Re: Apparmor

    Quote Originally Posted by hendersj View Post
    On Wed, 11 Sep 2013 19:36:05 +0000, FurciferPardalis wrote:

    > It is enabled on SLES (which I have too) and I have searched the web for
    > an answer why it is enabled on SLES but not on openSUSE


    It's much easier to predict what a SLES server will be used for than
    openSUSE. SLES is a server distribution, so there's a fairly limited
    number of rules that need to be set up and enabled.

    Desktop usage, though, is quite different, and having various profiles
    enabled for the desktop might interfere with desktop applications in
    unexpected ways. Better not to inconvenience users who don't have an IT
    background in that regard.

    Just an educated guess on my part - but it seems a reasonable assumption.

    The decision, though, is made by different people for the different
    releases.

    I wouldn't consider AppArmor "dead" in openSUSE/SUSE by any means. It
    does, however, need a more intuitive UI, IMHO.

    Jim

    --
    Jim Henderson
    openSUSE Forums Administrator
    Forum Use Terms & Conditions at openSUSE Forums FAQ
    I do not think it is a good way to disable it because users should should be protected out of the box and even if you enable apparmor profiles for browsers, mail clients and document viewers I think you cover a large part of internet security problems and sure it will take some time but it is better developers/packagers do their work with the assumption that a MAC framework is enabled. I've checked Fedora's mailing list and they have done a lot of work to iron out problems with SELinux and it is working (occasional application problems get fixed very fast and a developer is even blogging SELinux tips) and it seems most users do not even know that SELinux is used and working in the background. Therefore I think the same should be possible for openSUSE too as in case of a live image the concerning applications are known.

  8. #8
    Join Date
    Jul 2008
    Location
    Seattle, WA
    Posts
    17,076

    Default Re: Apparmor

    On Sat, 14 Sep 2013 17:46:03 +0000, FurciferPardalis wrote:

    > I do not think it is a good way to disable it because users should
    > should be protected out of the box and even if you enable apparmor
    > profiles for browsers, mail clients and document viewers I think you
    > cover a large part of internet security problems and sure it will take
    > some time but it is better developers/packagers do their work with the
    > assumption that a MAC framework is enabled.


    Well, it seems that whomever made the call for openSUSE didn't agree with
    this, but you could suggest it for 13.2 (13.1 is feature locked now, so
    it won't happen there). Maybe you can sell them on that.

    Jim
    --
    Jim Henderson
    openSUSE Forums Administrator
    Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

  9. #9

    Default Re: Apparmor

    Quote Originally Posted by hendersj View Post
    On Sat, 14 Sep 2013 17:46:03 +0000, FurciferPardalis wrote:

    > I do not think it is a good way to disable it because users should
    > should be protected out of the box and even if you enable apparmor
    > profiles for browsers, mail clients and document viewers I think you
    > cover a large part of internet security problems and sure it will take
    > some time but it is better developers/packagers do their work with the
    > assumption that a MAC framework is enabled.


    Well, it seems that whomever made the call for openSUSE didn't agree with
    this, but you could suggest it for 13.2 (13.1 is feature locked now, so
    it won't happen there). Maybe you can sell them on that.

    Jim
    --
    Jim Henderson
    openSUSE Forums Administrator
    Forum Use Terms & Conditions at openSUSE Forums FAQ
    It is not a problem for me as long I can enable it myself and do not have to compile a kernel which supports it and packages to make it working and apparmor is easier to setup as for SELinux I had to relabel the filesystem and it took me some time do understand what's going on.SElinux is a very powerful beast and I have to admit somehow complicated and you have to craft really detailed profiles where applications are working in a tight security context (I got fascinated about selinux sandboxes but this it OT for this thread). With suggesting you mean openFATE or at the factory mailing list?

  10. #10
    Join Date
    Jul 2008
    Location
    Seattle, WA
    Posts
    17,076

    Default Re: Apparmor

    On Sat, 14 Sep 2013 21:26:02 +0000, FurciferPardalis wrote:

    > With suggesting you mean openFATE or at the factory mailing list?


    Either place would be a good place to bring the topic up. The factor
    list might also provide additional insight as to why it's disabled by
    default.

    Jim
    --
    Jim Henderson
    openSUSE Forums Administrator
    Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •