[apparmor] Centralized or distributed policy [Was: License and copyright of ~apparmor-dev/apparmor-profiles?]

Jamie Strandboge jamie at canonical.com
Fri Aug 29 15:26:48 UTC 2014 

On 08/27/2014 07:28 PM, intrigeri wrote:
> Hi (again!),
> 
> Jamie Strandboge wrote (20 Aug 2014 21:43:59 GMT) :
>>  * When shipping in a package, ideally the package should support both complain
>>    and enforce mode for individual profiles so that installing it may enable
>>    enforcing policy (this isn't a collaboration concern, just a packaging one)
> 
> I'm not sure I understand what you mean here. May you please point me
> to an example of what you find to be the best practice in this area?
> 
I think I changed my thought and didn't read what I sent carefully enough. What
I meant to say is:
 * When shipping several profiles in common policy package, ideally the package
   would ship each individual profile in enforcing mode so when the policy
   package is installed, there is nothing more the user has to do to enable the
   policy. You may want to ship some individual profiles in complain mode if
   they aren't fully baked or dependent on certain configuration of the confined
   app.

On that note, in Ubuntu, we don't turn on policy by default unless the policy
works for all the common cases (and even some uncommon ones). This results in
policy that is not as restricted as it could sometimes be, but achieves a
greater good by having a perhaps slightly less restrictive  policy enabled for
everyone. This has proved to be a very worthwhile compromise since users are
happier. In other words, our philosophy is that users shouldn't have to be aware
that AppArmor is enabled and protecting them in the vast majority of the time. I
personally think this makes a lot of sense for Debian too. :)

>>  * shipping all policy in one package means more is loaded and compiled than is
>>    strictly needed for the system
> 
> Sure. As long as we're only shipping a handful of profiles in that
> policy package, this should not be a big deal, though.
> 
Right-- a few profiles isn't bad and now I better understand the goals of this
package. I think we are all hoping that by working together we can have scores
of profiles, so having the discussion now and thinking about when that day comes
is worthwhile.


-- 
Jamie Strandboge                 http://www.ubuntu.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140829/da1094f2/attachment.pgp>

More information about the AppArmor mailing list