Skip to content

Take into account feedback from apparmor developer

In September 2017 I got the mail below from Christian Boltz. It looks like our apparmor section is outdated and should be completed to be as exhaustive as the opensuse link referenced.

We can't reuse the content as-is because of the GFDL license (we use CC-BY-SA and GPL).

Hi Raphaël,

in case you never heard about me - I'm one of the upstream AppArmor
developers (focusing on the aa-* tools written in python) and also
maintain the AppArmor package in openSUSE. Besides that, I help the
Debian AppArmor team as needed - but never used Debian ;-)

I just read through the debian-devel discussion about enabling AppArmor
by default and noticed your pointer to
https://debian-handbook.info/browse/stable/sect.apparmor.html

Your mail sounds like you are the author of that manual section.
(If I'm wrong, a pointer who I should contact is welcome ;-)

You might want to look at the openSUSE Security Guide, which is more
detailed and describes all AppArmor rule types (except the "new" ones
that are currently being upstreamed):
https://doc.opensuse.org/documentation/leap/security/html/book.security/part.apparmor.html

You are even allowed to "steal" ;-) the openSUSE documentation - it's
GFDL-licensed, for details see
https://doc.opensuse.org/documentation/leap/security/html/book.security/book.security.html
If you are interested in using it, it's probably a good idea to get in
contact with the openSUSE documentation team [1] and find a way to make
sharing it easier ;-)
Or just add a link to the openSUSE Security Guide ;-)  [2]

Two notes about the AppArmor section on debian-handbook.info:

A funny detail is that you included something in the aa-genprof
transcript which is showing a bug:

    WARN: unknown capability: CAP_net_raw

Please remove this line from the manual ;-)

I checked the bzr log, and this was fixed in November 2014 - if you
still see it, please tell me ;-)


I'd also recommend to remove   flags=(complain)   from the
dhclient-script child profile.

Regards,

Christian Boltz

[1] send a mail to opensuse-doc+subscribe@opensuse.org to subscribe to
    the documentation team's mailinglist (low traffic)

[2] yes, I know linking to another distro's manual might trigger some
    political issues and/or flamewars ;-) - but OTOH it would save you
    some work so it could be worth this *g*
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information