[pkg-apparmor] Bug#702030: [DSE-Dev] forbid most packages to depend on or recommend apparmor

u u at 451f.org
Tue Oct 21 11:19:49 UTC 2014 

Hi,

after reading through
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702030 and the related
bugs, I think that there might be an easy way to get this to work.

>>>> (Also, what happens if someone has already enabled selinux, then
>>>> installs this apparmor package which is intended to automatically
>>>> enable apparmor?)

>>> The *last* LSM activated on the kernel command-line is the one
>>> that's enabled in practice (tested both ways). So, installing a
>>> apparmor package, that automatically enables this LSM, would
>>> override the previous manual enabling of SELinux. The reciprocal
>>> applies when running selinux-activate (which is arguably a more
>>> explicit choice made by the administrator than installing the
>>> apparmor package).

>>> IMO, both should first check if another LSM is enabled.

> That sounds like a good idea. It would be nice to have some kind of
> standard way to tell if any other LSM is enabled, otherwise we all
> have to maintain some
> selinuxenabled | $apparmorenabled | $whateverelseenabled
> shell snippets on our own.

I guess having "some kind of standard way to tell if any other LSM is
enabled" is easy to answer, right? Just check if in /etc/default/grub
there is an active "security" option set for GRUB_CMDLINE_LINUX.

Then, the proposed debconf option seems to be the easiest to implement,
from my point of view.
Just use a postinstall script in every LSM package, then check
GRUB_CMDLINE_LINUX to select the activated security module or set to
"none" if there is none.
(As intrigeri pointed out to me, the current selinux enablement tool
only supports Grub in any case.)

The script would still need to check if there are other security modules
installed and propose those as other possible options.

This could become "dh_enable_lsm".


>From my understanding, this way, no change to lintian nor policy would
be required.

It would also solve the problem which intrigeri talks about in his
first comment on #702030 about making choices permanent.

And with those scripts, i suppose that it would be possible to run
dpkg-reconfigure on any of those packages at a later point in time,
making it easier for lambda users to select a LSM, add the relevant
lines to grub.cfg, and run update-grub.

Cheers,
u.

More information about the pkg-apparmor-team mailing list