[pkg-apparmor] Bug#881460: apparmor-profiles: dhclient set to enforce prevents getting an IPv4 with DHCP
intrigeri
intrigeri at debian.org
Tue Nov 14 08:52:48 UTC 2017
Hi,
Gabriel Filion:
> intrigeri:
> thanks for the super clear explanation for changing the status :)
:)
>> If you came across instructions that told you to enforce such profiles
>> and that did not point you to the aforementioned warning, then I'm
>> very sorry! I'll treat this as a RC bug. Please point me to that doc
>> and I'll fix it ASAP. Thanks in advance!
> fwiw I was following mainly the debian wiki pages about apparmor. I
> remember reading the advisory, but for some reason I didn't keep the
> information that "the profiles might not work with default
> configurations" when reading. probably some level of confusion on my part.
I see, I guess this is:
https://wiki.debian.org/AppArmor/HowToUse#Enable_.2F_install_more_profiles
IIRC I recently updated it to make the warning more visible and
clearer. It might that it used to be much less scary when you read
it initially.
>> The good news is that there is a dhclient profile available elsewhere,
>> that works way better on Debian: see #795467.
> ok I can see that it looks like the proposed profile for isc-dhcp-client
> is the one from ubuntu. still no reply from debian packagers about this
> though, two years later.
> what approach should we take here in order to get things going? do you
> think that having more feedback from ppl who use the profile
> successfully would help to get that merged in, or do you suspect it
> might just be lack of available time or interest from package maintainers?
I think the added value of shipping AppArmor profiles was pretty low
2 years ago, as AppArmor was not enabled by default. So I totally
understand maintainers treating it as very low priority.
This is being changed in testing/sid though. So I would go back to the
maintainers a couple months after AppArmor is enabled by default, and
our case will be much stronger then. But really, right now I'm not
into adding new profiles: I'd rather polish the existing ones and
handle bug reports about them, to make the "enabling AppArmor by
default" experience as smooth as possible.
> also, maybe if we can get more ppl to test ubuntu's profile in debian,
> then they'd be willing to upstream it in apparmor?
That's a possibility. Or, we upstream it ourselves.
Cheers,
--
intrigeri
More information about the pkg-apparmor-team
mailing list