Opened 6 years ago

Last modified 5 years ago

#982 new enhancement

Ship Midgard with AppArmor policy files

Reported by: bergie Owned by: jval
Priority: minor Milestone: 8.09.10 Ragnaroek
Component: Midgard Data Version: 8.09 Ragnaroek
Keywords: Cc:

Description

AppArmor? is the security system used by Ubuntu and SuSE. Similar to SELinux from #538, we should ship Midgard with AppArmor? settings.

Change History (8)

comment:1 Changed 6 years ago by jval

Is it the same with AppArmor? as it's with SELinux that every distribution has it's own base settings/policy and the shipped Midgard policy would be different for every distribution? Or is AppArmor? different - could the same policy work everywhere?

Is AppArmor? preventing Midgard from working out-of-the box in some distribution? (If it is, it kind of makes this more important and thus priority major is justified. Otherwise this is more like a nice to have issue and thus priority is kind of lower then.)

Is midgard-core the right component for this? The SELinux issue was midgard-data issue in the end because it's midgard-data which configures Midgard in a way it required a policy.

comment:2 Changed 6 years ago by jval

  • Component changed from Midgard Core to Midgard Data
  • Priority changed from major to minor

<bergie> jval: AFAIK AppArmor? is quite similar to SELinux

<jval> bergie: does some distribution set it up in a way midgard is blocked by default?

<bergie> I don't think so

comment:3 Changed 6 years ago by jval

<bergie> but it would be good to supply to boost our "midgard is secure" image

comment:4 Changed 6 years ago by bergie

  • Owner changed from piotras to jval

comment:5 follow-up: Changed 6 years ago by jval

I'm not able to work on this in the near future (because the distros I use daily don't have AppArmor? and I'm not familiar with AppArmor?). I might get my hands on this later (post .5 for almost certainly), but I can't say when or even will I ever. :)

So if someone else has interest on this issue, feel free to take it and work on it.

comment:6 in reply to: ↑ 5 Changed 6 years ago by jval

So if someone else has interest on this issue, feel free to take it and work on it.

The problem part* is the actual AppArmor? configuration. If it requires packaging like the SELinux thing required, I can make the necessary RPM spec file changes (in case of SUSE for example). And Piotras can make the necessary deb packaging changes (in case of Ubuntu for example).

  • I guess it's actually easy, but as I said I don't know AppArmor? and at the moment I have no access to a box which has it.

comment:7 Changed 6 years ago by jval

  • Milestone changed from 8.09.5 Ragnaroek to 8.09.6 Ragnaroek

comment:8 Changed 5 years ago by piotras

  • Milestone changed from 8.09.6 Ragnaroek to 8.09.7 Ragnaroek
Note: See TracTickets for help on using tickets.