[pkg-apparmor] Feedback on "Updating a profile in Debian’s apparmor-profiles-extra package"

[Christian Boltz]

Hello,

Am Donnerstag, 29. Januar 2015 schrieb u:
> I simply wanted to say that I have gotten some feedback [1] on the
> latest blogpost which appeared on planet.d.o
> 
> I think blogging about how usable AppArmor in Debian is, is a great
> idea and I want to do that before the end of the internship.
> 
> As for the second question asked, maybe one of you could answer this:
> "do you have plans on working on violation detection tool, like SUSE
> had with YaST2, and Fedora had with setroubleshootd?".

Well, unfortunately the YaST2 AppArmor module is unmaintained (it's 
still based on the old perl code) and the YaST team already dropped some 
parts that didn't work anymore. It seems the only sane/possible fix 
would be to rewrite it from scratch, and that hits the usual ENOTIME 
problem :-/

That said - the AppArmor commandline tools are actively maintained and 
are what I'd recommend to use:
- aa-genprof to create a new profile
- aa-logprof to update an existing profile
- aa-notify for things like a daily log summary or realtime desktop 
  notifications of profile violations (= audit.log entries)
- and various other aa-* tools

BTW: IIRC you don't mention those tools in the Debian wiki yet, but you 
should ;-)

Feel free to link to my blog where I have some "AppArmor crash course" 
slides:
    http://blog.cboltz.de/archives/65-openSUSE-conference.html

Those slides are 2 years old [1], but still valid. However they don't 
cover the new rule types like dbus and signal.


Regards,

Christian Boltz

[1] Actually the original version of those slides is from 2009. 
    I did some minor updates two years ago, but didn't need to change 
    much. That's the good thing about AppArmor - your knownledge doesn't 
    expire ;-)

-- 
Planung ist der Ersatz des Zufalls durch den Irrtum.