[apparmor] Generate a default/fallback profile? No blacklisting
alexofen
alexofen at gmail.com
Wed Dec 19 13:55:50 UTC 2012
Dear people working with AppArmor,
I have read the FAQ Wiki:
This point gives me quite some trouble
http://wiki.apparmor.net/index.php/FAQ#Is_AppArmor_policy_Default_Deny_.28White_listing.29
I would ask for your assistence.
I cannot understand. Either there is enough safety by the ordinary linux
(DAC style) file permissions which makes AppArmor and other MACs rather
superflous or there is a good point in having AppArmor which then it
makes little sense to me to be satisfied that any unkonwn Program
results into an unconfined execution of this code?
Is there a way to have something like a fallback/default deny thing for
applications that are not profiled?
The ease of deployment should not be the primary concern and the safety
sacrifized. The product sold (AppArmor)
without profiles is rather useless (as it is in most desktop Ubuntus)
and I assume only by setting it active fall all programs via
a default profile that is limiting would be a safe solution.
I do not wanna provoke or insult etc. And if for heaven's sake it must
be that we have cases in which AppArmor
is deployed with this kind of "everything unprofiled is white", that is
ok. But what is the trick to setup a default profile
Thank you for your support, understanding and assistence
Alexander
More information about the AppArmor
mailing list