[apparmor] [patch] make tftp server for dnsmasq working

Seth Arnold seth.arnold at gmail.com
Tue Apr 17 20:00:29 UTC 2012 

I'd like to voice my opposition for putting this style of tool in any automatic position -- it feels as dirty as SELinux's relabeling daemon to me, to give some idea of how much I dislike it -- by putting policy in application configuration files we lose the ability to confine incorrect configuration or even open the policy up to further exploitation if the config files are writable by something horrible like cpanel or open swat or worse.

I'm fine with their use as part of a human-driven profile generator, such as aa-genprof or the newfangled simpleprof, but at boot feels very wrong. To abuse an analogy, it feels like setting one's suspenders to expand or contract to match the belt.
-----Original Message-----
From: Christian Boltz <apparmor at cboltz.de>
Sender: apparmor-bounces at lists.ubuntu.com
Date: Tue, 17 Apr 2012 21:51:52 
To: <apparmor at lists.ubuntu.com>
Subject: Re: [apparmor] [patch] make tftp server for dnsmasq working

Hello,

Am Montag, 16. April 2012 schrieb Steve Beattie:
> The ideal solution would be something integrated into the dnsmasq init
> script process that parses out the dnsmasq config enough to determine
> the tftproot and sets a variable in an included file for the profile
> before loading both the profile and starting dnsmasq.
> 
> Since that's not going to happen, 

Never say never ;-)

For example, the Samba package in openSUSE >= 12.1 has a script that 
creates a profile sniplet at startup for all shares. (Guess who wrote 
it... ;-)

Doing something similar for dnsmasq shouldn't be too hard. (But I won't 
do it.)

> and while I'm not particularly keen on having multiple default 
> directories, 

The alternative would be to maintain per-distribution patches forever, 
which doesn't sound better to me.

> I don't have a strong objection to it going in.

You are too late anyway - it's commited ;-)


Regards,

Christian Boltz
-- 
>>Mir sind genug NT - Admins mit Gehaeltern ab 150 KDM bekannt, die 
>>weniger von NT wissen als ich  -  und das ist _sehr_ wenig.
>NT-Admins werden wie Bundestagsabgeordnete bezahlt?
Wo kriegt man so Angebote? Gibt es irgendwo einen MCSE-Straßenstrich?
[in dasr]


-- 
AppArmor mailing list
AppArmor at lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

More information about the AppArmor mailing list