Ticket #982 (new enhancement)

Opened 5 years ago

Last modified 5 years ago

Ship Midgard with AppArmor policy files

Reported by: bergie Assigned to: jval
Priority: minor Milestone: 8.09.10 Ragnaroek
Component: Midgard Data Version: 8.09 Ragnaroek
Keywords: Cc:

Description

AppArmor? is the security system used by Ubuntu and SuSE. Similar to SELinux from #538, we should ship Midgard with AppArmor? settings.

Change History

03/18/09 11:53:24 changed by jval

Is it the same with AppArmor? as it's with SELinux that every distribution has it's own base settings/policy and the shipped Midgard policy would be different for every distribution? Or is AppArmor? different - could the same policy work everywhere?

Is AppArmor? preventing Midgard from working out-of-the box in some distribution? (If it is, it kind of makes this more important and thus priority major is justified. Otherwise this is more like a nice to have issue and thus priority is kind of lower then.)

Is midgard-core the right component for this? The SELinux issue was midgard-data issue in the end because it's midgard-data which configures Midgard in a way it required a policy.

03/18/09 12:26:57 changed by jval

  • priority changed from major to minor.
  • component changed from Midgard Core to Midgard Data.

<bergie> jval: AFAIK AppArmor? is quite similar to SELinux

<jval> bergie: does some distribution set it up in a way midgard is blocked by default?

<bergie> I don't think so

03/18/09 12:28:29 changed by jval

<bergie> but it would be good to supply to boost our "midgard is secure" image

04/06/09 16:44:22 changed by bergie

  • owner changed from piotras to jval.

(follow-up: ↓ 6 ) 04/06/09 17:31:38 changed by jval

I'm not able to work on this in the near future (because the distros I use daily don't have AppArmor? and I'm not familiar with AppArmor?). I might get my hands on this later (post .5 for almost certainly), but I can't say when or even will I ever. :)

So if someone else has interest on this issue, feel free to take it and work on it.

(in reply to: ↑ 5 ) 04/06/09 21:27:15 changed by jval

So if someone else has interest on this issue, feel free to take it and work on it.

The problem part* is the actual AppArmor? configuration. If it requires packaging like the SELinux thing required, I can make the necessary RPM spec file changes (in case of SUSE for example). And Piotras can make the necessary deb packaging changes (in case of Ubuntu for example).

* I guess it's actually easy, but as I said I don't know AppArmor? and at the moment I have no access to a box which has it.

04/22/09 13:31:02 changed by jval

  • milestone changed from 8.09.5 Ragnaroek to 8.09.6 Ragnaroek.

10/20/09 13:15:17 changed by piotras

  • milestone changed from 8.09.6 Ragnaroek to 8.09.7 Ragnaroek.