Default mode for apparmor profiles : complain or enforce ?

David Nielsen david at lovesunix.net
Wed Jun 6 14:25:14 BST 2007


tir, 05 06 2007 kl. 16:56 -0400, skrev Mathias Gug:
> Hi,
> 
> I'm currently working on AppArmor integration. I was wondering wether
> profiles should be installed in complain or enforce mode by default.
> 
> In complain mode, the application is not stopped from doing its job.
> Policy violation are only logged.
> In enforced mode, the application is denied access to ressources. Which 
> tends to break things badly.
> When SELinux was enabled by default in FC2, things went really bad 
> and most of the people just turned it off.
> 
> So to avoid the same fiasco, I thought about shipping all profiles in
> complain mode at first. Once profiles have been more tested, they could
> be installed in enforce mode by default.

It seems to defeat the purpose to have additional security capabilities
and not let them do their job. Clearly if they stop legitimate
functionality then that is a bug and should be reported, a tool like
SELinux troubleshooter would greatly help user catch them for you so
policies could be adjusted. If you set it to just log, users don't
benefit from a more secure setup and bugs will go unnoticed making the
entire purpose rather self defeating.

- David Nielsen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Dette er en digitalt underskrevet brevdel
Url : https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20070606/644aa7ba/attachment.pgp 


More information about the ubuntu-devel mailing list