Re: [arch-general] AppArmor support
On 2018-09-20 18:42, David Runge wrote: On 2018-09-14 12:21:26 (+0200), Geo Kozey wrote: They called it 'binmerge' :) Hope this can be achieved for all profiles. https://gitlab.com/apparmor/apparmor/commit/4200932d8fb31cc3782d96dd8312511e807fd09b I think this should fix issues with referencing filenames that you mentioned. If there's something else left you may try to open issue/merge request upstream. I'll do that. There are more problems with the package, than just the profiles ;-) BTW: Upstream URL should be https://gitlab.com/apparmor/apparmor as this is where develeopment activity occurs. Forgot to put that in (will do next time). However, I managed to only replace the use of /sbin/, /usr/sbin/ and /bin/ by /usr/bin/. The profile names are left unchanged now. To all interested: Please do test, if you have the time! Best, David Have been running it for a few days, so far everything is alright. Thanks. Also, don't know if it should be done in upstream or not, but maybe logprof.conf should be modified a little to add, for example, /usr/bin/zsh in [qualifiers] section. And anyone knows what the point in [repository] section?
Re: [arch-general] AppArmor support
But I have a question: why was AUDIT enabled in the first place? I thought it was cosidered useless? AFAIK, it was considered slow (at least for syscalls), but after recent changes in kernel it doesn't matter anymore. You can read discussion here https://bugs.archlinux.org/task/42954
Re: [arch-general] AppArmor support
It was accepted first [1], and then rejected for reasons that doesn't apply fully to AppArmor, and i doesn't hid anything, so stop playing detective. Like Scimmia said "There are better mediums to have this discussion." and for such discussions we have this mailing list, doesn't we? [1] https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/linux&id=c75a915313f72924fa0a3ed45356f9e0ea488f3b On 2018-09-09 18:24, Maksim Fomin via arch-general wrote: ‐‐‐ Original Message ‐‐‐ On Sunday, 9 September 2018 17:34, Gus wrote: > You have been rejected by heftig and tpowa. It is unclear why and what > you are asking here. It was accepted first and then rejected by heftig. Really? Just rejected by heftig? The issue was rejected 4 times, first by heftig than 3 times by Scimmia: 2018-09-03 "A Project Manager has denied the request pending for the following task: FS#59733 - [linux] enable AppArmor & SELinux User who did this - Doug Newgard (Scimmia) Reason for denial: 2018-09-05 "FS#59733 - [linux] enable AppArmor & SELinux User who did this - Doug Newgard (Scimmia) Reason for denial: No new information" "FS#59733 - [linux] enable AppArmor & SELinux User who did this - Doug Newgard (Scimmia) Reason for denial: I'm not going to reopen a ticket for people to make the same argument over and over" "Reason for denial: Stop having a catfight with the bugwranglers because you think, somehow, that people will be less likely to open duplicate bugs just because we provide dialog. There are better mediums to have this discussion." So far, this issue was closed by heftig and then 3 times by bug wrangler. This fact was hidden in the first post to this thread.
Re: [arch-general] AppArmor support
You have been rejected by heftig and tpowa. It is unclear why and what you are asking here. It was accepted first and then rejected by heftig. Suppose AppArmour does not require linking. So what? As heftig wrote, that was main reason for rejecting SELinux and AppArmor support, but since it doesn't apply to AppArmor i see no reason to reject it.
Re: [arch-general] AppArmor support
Linux-hardened doesn't support hibernation and i think it's overkill to use it on desktop. On 2018-09-09 14:04, Filipe Laíns via arch-general wrote: On Sun, 2018-09-09 at 13:42 +, Gus wrote: I know such request was rejected here https://bugs.archlinux.org/task/59733 recently, but still AppArmor doesn't need linking with libraries and doesn't require as much userland support as SELinux, so it will not hurt to have one option enabled in kernel, right? Hey Gus, I'm sorry but I'm not the maintainer :/. You'll need to talk to them again. If you think the closure of the bug was wrong I suggest to send a mail to the mailing list explaining this. Why don't you use linux-hardened instead? It's up-to-date and has both options enabled (AppArmor and SELinux). I feel that it's the biggest issue. We already have a kernel with both options enabled so there's no point on also adding them in the main one, given that those option require a lot of userspace support. Do you have relevant reason why you don't want to use linux-hardened? If so, that would probably change some things. Thanks, Filipe Laíns 3DCE 51D6 0930 EBA4 7858 BA41 46F6 33CB B0EB 4BF2
[arch-general] AppArmor support
I know such request was rejected here https://bugs.archlinux.org/task/59733 recently, but still AppArmor doesn't need linking with libraries and doesn't require as much userland support as SELinux, so it will not hurt to have one option enabled in kernel, right?