search

rockstor / rockstor-core

Linux/BTRFS based Network Attached Storage(NAS)
http://rockstor.com/docs/contribute_section.html
GNU General Public License v3.0
547 stars 137 forks source link

Establish rockstor-apparmor.service #2699

Open phillxnet opened 9 months ago

phillxnet commented 9 months ago

(AppArmor)[https://apparmor.net/] is an intergral part of our upstream OS security, we should formalise our requirement by way of a new systemd service; akin to how snapd does this.

Proposed new service rockstor-apparmor.service

This issue is likely related to, i.e. has a dependency on:

which we may have to grant sufficient privileges/AppArmor exceptions to.

phillxnet commented 8 months ago

Linking to recent reduction in requirements re our Poetry install from /root to OS provided python311-pipx global install in /usr/local/bin: "Update Poetry build system & normalise on Python 3.11 #2703 #2754 #2693" #2755

phillxnet commented 8 months ago

To complete this issue, given it will be an ongoing endeavour, it is proposed that we present only the basic skeleton. This way we at least introduce the new service and tie it into our other existing services so that it at least exists as a beginning point to begin our AppArmor compatible journey.

I.e. We start with a place holder tied to our other services. Then we have a central place to add/adjust as and when needed. This initial placeholder is the proposed purpose of this issue.

phillxnet commented 4 months ago

It is proposed that we now consider this issue as part of our next testing phase: there are simply too many basic changes that will need a lot of field testing to ensure no regressions. Removing from current Stable Release Milestone as a result.

Not also that our upstream, and that ultimately of Leap 16's, slowroll, may now be moving more in the direction of SELinux: https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/message/WBQGFYUTE4NJLL5JNK5NQSN5OXXWP5QM/

SUSE will be moving to SELinux over time. I can't speak for the openSUSE project overal, but everything we consume from SUSE will use SELinux going forward, so I expect that openSUSE will head in a general direction.

Quote from above url by: Johannes Segitz

Thanks to @FroggyFlox for this link. And we may, with this info, transition this issue to an SELinux orientated one.