This is what I love about openSUSE. After a profound and open user-discussion with strong enduser involvement, in an open process it was decided not to activate it any longer (since it is even now in the kernel by default) and instead leave it to SE-Linux (or nothing). The how-to for an enduser to use SE linux is as follows: you do not need it. If you think you need it still, have a look at the second “informal forum” how-to about SE Linux: “much too complicated to set this up. You don’t need this level of security”.
The only thing that I still do not understand: why did I need it before for so many years, and, since SE Linux is not setup by default, and Apparmor is not available any more, did openSUSE get more sicure with 12.1? Why was it anyway developed if it has no utility. Why was TOMOYO developed? Why was anything developed. …
I am going now to have my therapy… rotfl!
Oh and I do appreciate any hint on how I can activate it in openSUSE.
On 2012-02-10 18:06, stakanov wrote:
>
> Knurpht;2439200 Wrote:
>> AFAIK it’s been replaced by selinux. I noticed this too, left Apparmor
>> out.
Not replaced, because selinux is not preconfigured.
> The only thing that I still do not understand: why did I need it before
> for so many years, and, since SE Linux is not setup by default, and
> Apparmor is not available any more,
What? AA is available.
> did openSUSE get more sicure with
> 12.1?
No.
> Why was it anyway developed if it has no utility.
It has utility, and development continues.
> Oh and I do appreciate any hint on how I can activate it in openSUSE.
YaST. But there is something wrong with it, or with systemd. I’m, testing it.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
On 2012-02-10 21:28, Carlos E. R. wrote:
>> Oh and I do appreciate any hint on how I can activate it in openSUSE.
> YaST. But there is something wrong with it, or with systemd. I’m, testing it.
As I thought. It works fine with systemv, but not with systemd.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
I guy behind the openSUSE counter of FOSDEM very cool, said to me that “we did not implement it in 12.1 - didn’t you notice”? And seemed quite happy about it (probably because in this way it causes less work?).
So I go for: intentional. But you are able to proof me wrong. Maybe he meant: we did not activate it by default and their is a trick to do it. You will tell me.
On 2012-02-11 10:16, stakanov wrote:
> I guy behind the openSUSE counter of FOSDEM very cool, said to me that
> “we did not implement it in 12.1 - didn’t you notice”? And seemed quite
> happy about it (probably because in this way it causes less work?).
Well, Novell did fire the entire AA original team, years ago, reasons untold.
But I happen to be subscribed to the current dev AA list
(apparmor(at)lists.ubuntu.com), and I see people from openSUSE
participating and contributing patches. There is a lot of activity there.
> So I go for: intentional. But you are able to proof me wrong. Maybe he
> meant: we did not activate it by default and their is a trick to do it.
> You will tell me.
As I said, there are bugs. AA doesn’t start with systemd. Reported.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
On 02/11/2012 10:16 AM, stakanov wrote:
> guy behind the openSUSE counter of FOSDEM very cool, said to me that
> “we did not implement it in 12.1 - didn’t you notice”? And seemed quite
> happy about it (probably because in this way it causes less work?).
> So I go for: intentional. But you are able to proof me wrong. Maybe he
> meant: we did not activate it by default and their is a trick to do it.
> You will tell me.
just guessing! AppArmor was a product that Novell (the profit oriented
company) was using to set itself apart from its commercial rival (Red
Hat), which had chosen a similar SELinux to bullet-proof the OS in the
sight of the non-tech bean counting corporate buyers…
so, as long as Novell was pushing how wonderful AppArmor was it HAD to
be default installed…
but, when Novell was replaced by the more hands off management style of
Attachmate the geeks in Nuremberg had the freedom to decide to cut that
sinking ship free…not needed now, not needed before either (except as
a “marketing tool”).
Technically speaking the Apparmor module that was used with Kernels up to 2.36 is not usable with kernel 2.37 and 3.1.x as well as 3.2.x
Since currently Apparmor is not working and I doubt this will be fixed for 12.1 any time soon, the O.P. starting the thread could be interested in a solution called TOMOYO (a mandatory access control system (MAC) similar to Apparmor). Now the funny thing is that although TOMOYO in it’s 2.5 implementation cannot be run together with Apparmor (unlike the versions 1.6-1.8), the latter version has been accepted inside the kernel and from 3.2 does not require any patching. And even better, the 12.1 kernel shipping, is compiled with TOMOYO support active. Installation seems easy and straightforward but I do unfortunately have currently my 12.1 system under my hands. So I post you the link with the installation video. If any interested O.P. want to have a try, we will surely be all delighted to have feedback on this.
The video is here: https://www.youtube.com/watch?v=MkBXGUb6RPo
The website with more info is here: TOMOYO Linux Home Page
And some more historical info on WIKI: https://en.wikipedia.org/wiki/TOMOYO_Linux
And finally about the version to use: TOMOYO Linux Documentation
I myself will have a try once being again in touch with my 12.1 little abandoned beauty. And will report back, but that can take time.
Cheers.
On 2012-02-11 18:06, stakanov wrote:
>
> Technically speaking the Apparmor module that was used with Kernels up
> to 2.36 is not usable with kernel 2.37 and 3.1.x as well as 3.2.x
> Since currently Apparmor is not working and I doubt this will be fixed
Are you sure of that? I’m using AA with systemd in 12.1.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
Then why don’t you share the information on how to fix the problem, since this was the original question by the OP.
Besides, I am sure that the module used up to 2.36 is not viable for the kernel versions above. It is therefore evident that they changed the module and scripts, which is a good thing (and I should have expected that since 11.4 had a working Apparmor install). So go ahead, we are very happy to know the solution.
Saludos.
On 2012-02-12 21:26, stakanov wrote:
>
> Then why don’t you share the information on how to fix the problem,
> since this was the original question by the OP.
I did.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
In private? Or in a thread? If in a thread please provide a link. If in private, please share the information publicly since other users will need it. Me included.
Thank you.
Thank you DenverD. IMO there is no such thing as redundant information. I think that people by searching will find maybe this thread and would find a no go. Anyway the thread was open. Now this is really useful to everybody who comes by. I really appreciate the bother that you took. Cheers.
BTW, there are claims that Apparmor does slow the system down. Personally I have problems to understand the argument since people pull on KDE desktop effects, Akonadi, Nepomuk. So I did not feel any slowdown problem related to Apparmor in 11.4 to be honest. One other thing, since we talked about Tomoyo here and about Apparmor, there is also S.M.A.C.K which seems inside the kernel. It is AFAIR "a SLED for dummies/n00bs. So obviously I am interested.
On 02/13/2012 09:46 AM, stakanov wrote:
> there are claims that Apparmor does slow the system down.
i think that comes from the slight pause of a few seconds while
AppArmor is setting up, during boot…i remember several here saying
that they had disabled AppArmor after running bootchart (if that is the
correct name for the app which [then] produced a colorful chart of where
the time goes during a boot)…
as far as once booted, i don’t think anyone has quantified a slowdown
there–but, maybe…because, obviously if there are access rules for
various executables those must be checked (at the speed of light, minus
the CPU Mhz and queue delay) prior to execution…
maybe the slowdown is measurable–but, i have not see the results of
those comparative analysis…
and, as you say: compared to the molasses caused by KDE, desktop effects
and etc any AppArmor caused slowdown is probably negligible…
> In private? Or in a thread? If in a thread please provide a link. If in
> private, please share the information publicly since other users will
> need it. Me included.
I posted here, in this very same thread. I don’t understand how you can not
see it.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
On 2012-02-13 09:46, stakanov wrote:
>
> DenverD;2439899 Wrote:
>> On 02/13/2012 08:56 AM, stakanov wrote:
>>>
>>> If in a thread please provide a link.
>>
>> http://tinyurl.com/77gasf9 where Carlos relates:
>>
>> - install AppArmor if you want it (cite:
>> http://tinyurl.com/77gasf9)
>> in 12.1 (as it is no longer default installed; cite
>> http://tinyurl.com/77gasf9)
>>
>> - boot using systemv (cite:
>> http://tinyurl.com/77gasf9)
>>
>> and, the systemd bugs are known and being worked on (cite:
>> http://tinyurl.com/77gasf9)
Wow, thanks.
What I have found out is that yast services configuration is not able to
start up AA, nor is chkconfig. That is a bug I reported. You have to go to
yast AA configuration and mark the box for AA to be enabled. Then systemd
will fail to start it, that is another bug I reported.
If anybody is interested, please add to those to bugs (746506 and 746504).
It worries me that nobody has reported this earlier.
> BTW, there are claims that Apparmor does slow the system down.
It slows the administrator! Things stop working, and you have to go and
find why, then see strange errors in the log like permission denied, daemon
crashing. Then you think: ah, that must be AA. Then find the profile and
adjust it. It is a nuisance.
But then, that’s the price to pay for a little security. The profiles given
can not work for everybody because a) nobody tested it during factory
testing or b) your system is setup differently. For example, if you share a
different folder than your neighbor, the samba profile will not work.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
You posted in a thread a link like DenverD did? No, no links in my output. Cannot see any indication on the things Denver did post. If you posted a link there is a problem as I do have only the links from DenverD.
well, no, I had read people reporting that it has an performance impact. But I guess that is only to be found if you run one of these benchmark things. Same thing on TOMOYO.
Yes, I had this too that something does not start and in the end it is AA. This especially if you do your profile very restrictively. And if you have unlike me a machine with a lot of users on it, well, that for sure must not be easy.
BTW:
out of curiosity - Telcontar is this? Wiki: In the fictional universe of J. R. R. Tolkien, the House of Telcontar, previously the House of Elendil, is the Royal House of the Reunited Kingdom of Arnor and Gondor.
Just because I found also Telecontar which is a totally different thing.