I have to admit that I do not know whether this is the right place to ask as there is no security section and therefore I’m posting here - if it was wrong please move my post in the correct section. During the last weeks I have checked different MAC frameworks and I’m still wondering why openSUSE do not have apparmor enabled as there is even a guide how to enable it (https://doc.opensuse.org/documentation/html/openSUSE/opensuse-security/book.security.html). It is enabled on SLES (which I have too) and I have searched the web for an answer why it is enabled on SLES but not on openSUSE - a lot of changed in apparmor and it seems that development is now mostly done at Ubuntu/Canonical and that could be reason and therefore it is maybe a dead project for openSUSE(SuSE??) and it is better that I should invest time in learning SELinux. However it is it not enabled per default (SDB:SELinux - openSUSE) in openSUSE and therefore I’m uncertain what is the best way to go. I have checked different distributions and RHEL/Fedora are using SELinux (default/enabled), Ubuntu Apparmor (default/enabled), Debian (SELinux, Apparmor, TOMOYO, SMACK can be enabled), SLES (Apparmor/enabled) - is there anybody who can answer my questions or have details about the status/future of apparmor/SELinux in opensuse?? Thank you in advance.
On 2013-09-11 21:36, FurciferPardalis wrote:
>
> Hello Forum
>
> During the last
> weeks I have checked different MAC frameworks and I’m still wondering
> why openSUSE do not have apparmor enabled as there is even a guide how
> to enable it (http://tinyurl.com/pl2pj7l).
Well, it is a choice you have. It is not enabled by default, not even
installed. It is up to you to do it.
It was installed and enabled by default years ago, when AA started
development by Novel employees. When they went away or were fired, soon
it was “demoted”.
Selinux was never enabled by default because it was a competitor to
Novel’s apparmor, IMHO. It is packaged, but not configured, that’s up to
you.
> SMACK can be enabled), SLES (Apparmor/enabled) - is there anybody who
> can answer my questions or have details about the status/future of
> apparmor/SELinux in opensuse?? Thank you in advance.
For that, I think you should ask at the mail lists, where the devs are.
There is a security mail list; also the factory mail list would be
appropriate, perhaps.
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
Thank you for you post and time and I think I have to ask the developers what is scheduled for SLES 12 but I do not think that I will get an information yet. However openSUSE is a different project and I think that I should get a positive answer or more background information why both are frameworks are opt-in and not enabled out of the box.
On 2013-09-13 19:06, FurciferPardalis wrote:
>
> Thank you for you post and time and I think I have to ask the developers
> what is scheduled for SLES 12 but I do not think that I will get an
> information yet. However openSUSE is a different project and I think
> that I should get a positive answer or more background information why
> both are frameworks are opt-in and not enabled out of the box.
But you will not get it here. The forum is a place where users talk,
there are almost no developers here.
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
On Wed, 11 Sep 2013 19:36:05 +0000, FurciferPardalis wrote:
> It is enabled on SLES (which I have too) and I have searched the web for
> an answer why it is enabled on SLES but not on openSUSE
It’s much easier to predict what a SLES server will be used for than
openSUSE. SLES is a server distribution, so there’s a fairly limited
number of rules that need to be set up and enabled.
Desktop usage, though, is quite different, and having various profiles
enabled for the desktop might interfere with desktop applications in
unexpected ways. Better not to inconvenience users who don’t have an IT
background in that regard.
Just an educated guess on my part - but it seems a reasonable assumption.
The decision, though, is made by different people for the different
releases.
I wouldn’t consider AppArmor “dead” in openSUSE/SUSE by any means. It
does, however, need a more intuitive UI, IMHO.
On 2013-09-13 19:37, Jim Henderson wrote:
> I wouldn’t consider AppArmor “dead” in openSUSE/SUSE by any means. It
> does, however, need a more intuitive UI, IMHO.
Development of the interface is stuck.
There is a yast interface, incomplete, and ugly. It works partially.
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
I do not think it is a good way to disable it because users should should be protected out of the box and even if you enable apparmor profiles for browsers, mail clients and document viewers I think you cover a large part of internet security problems and sure it will take some time but it is better developers/packagers do their work with the assumption that a MAC framework is enabled. I’ve checked Fedora’s mailing list and they have done a lot of work to iron out problems with SELinux and it is working (occasional application problems get fixed very fast and a developer is even blogging SELinux tips) and it seems most users do not even know that SELinux is used and working in the background. Therefore I think the same should be possible for openSUSE too as in case of a live image the concerning applications are known.
On Sat, 14 Sep 2013 17:46:03 +0000, FurciferPardalis wrote:
> I do not think it is a good way to disable it because users should
> should be protected out of the box and even if you enable apparmor
> profiles for browsers, mail clients and document viewers I think you
> cover a large part of internet security problems and sure it will take
> some time but it is better developers/packagers do their work with the
> assumption that a MAC framework is enabled.
Well, it seems that whomever made the call for openSUSE didn’t agree with
this, but you could suggest it for 13.2 (13.1 is feature locked now, so
it won’t happen there). Maybe you can sell them on that.
Suggest it to the developers. But I have seem lot of people shot them selves in the foot playing with apparmor settings back when it was installed and started by default. I’m just as happy it is not and If I feel I need it I can always install it and set it to as paranoid as I like.
It is not a problem for me as long I can enable it myself and do not have to compile a kernel which supports it and packages to make it working and apparmor is easier to setup as for SELinux I had to relabel the filesystem and it took me some time do understand what’s going on.SElinux is a very powerful beast and I have to admit somehow complicated and you have to craft really detailed profiles where applications are working in a tight security context (I got fascinated about selinux sandboxes but this it OT for this thread). With suggesting you mean openFATE or at the factory mailing list?
Thank you and I understand what you mean to shoot them selves - my first apparmor profiles for firefox gave me some headaches as firefox was starting and crashing and now I have it working with a stricter profile as the one which is in /etc/apparmor/profiles/extras/ - everything is good documented in opensuse (security guide) and it helps to understand how applications are working and what I have to enable so that an applications works under a MAC framework.
On 2013-09-15 00:21, Jim Henderson wrote:
> On Sat, 14 Sep 2013 21:26:02 +0000, FurciferPardalis wrote:
>
>> With suggesting you mean openFATE or at the factory mailing list?
>
> Either place would be a good place to bring the topic up. The factor
> list might also provide additional insight as to why it’s disabled by
> default.
It causes many problem on unsuspecting people, and raises many questions.
Like, imagine, nscd failing because some permission is denied because of AA. Imagine how many thing
would not work, and then imagine the support nightmare of people asking. Or mails being blocked
because postfix getting permission denied.
Often AA profiles do not work, have to be adjusted to the particular case. I use AA, and every
install has those problems.
And, if you search the log of the application, at worst you see a permission denied issue, no
mention of apparmor anywhere.
Better let the admin activate it manually, so that he knows to expect issues and where they come from.
–
Cheers / Saludos,
Carlos E. R.
(from oS 12.3 “Dartmouth” GM (rescate 1))