On Sunday 05 September 2021 at 12:54:01, tito via Dng wrote:
> On Sun, 05 Sep 2021 10:18:15 +0000 g4sra wrote:
> >
> > How is Apparmor abusive ?
>
> I'm not very fond of apparmor for various reasons:
>
> 1) I experienced unexpected behavior of programs
> silently failing to do something (log, run, etc)
> because the apparmor profile was wrong/bugged
>
> 2) unless you study every code path in the program you want to
> supervise the profiles used will not be safe but nobody really cares
> (e.g. maintainer adds a profile that works with the default setup
> of the distro (....if it really works))
>
> 3) if you use a customized setup of services or other programs
> it is highly probable that the profiles will not work for you
So, a bad configuration doesn't work as you would like. No surprise there,
really.
> Summary:
> apparmor gets in the way of doing stuff...
You can say the same about network firewalls (or almost any security measure,
in fact). Security is seldom aligned with convenience.
However, just as many people would not want to operate systems without a
network firewall, and are prepared to configure it correctly for their needs, I
think apparmor has a valuable place in enforcing security within one system;
the price is that the system admin has to tell it to do the right job.
Antony.
--
Was ist braun, liegt ins Gras, und raucht?
Ein Kaminchen...
Please reply to the list;
please *don't* CC me.