Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Establish rockstor-apparmor.service #2699

Closed
phillxnet opened this issue Oct 14, 2023 · 4 comments
Closed

Establish rockstor-apparmor.service #2699

phillxnet opened this issue Oct 14, 2023 · 4 comments

Comments

@phillxnet
Copy link
Member

phillxnet commented Oct 14, 2023

(AppArmor)[https://apparmor.net/] is an intergral part of our upstream OS security, we should formalise our requirement by way of a new systemd service; akin to how snapd does this.

Proposed new service rockstor-apparmor.service

This issue is likely related to, i.e. has a dependency on:

which we may have to grant sufficient privileges/AppArmor exceptions to.

@phillxnet phillxnet changed the title Establish rockstor-apparmor Establish rockstor-apparmor.service Oct 14, 2023
@phillxnet
Copy link
Member Author

Linking to recent reduction in requirements re our Poetry install from /root to OS provided python311-pipx global install in /usr/local/bin:
"Update Poetry build system & normalise on Python 3.11 #2703 #2754 #2693" #2755

@phillxnet
Copy link
Member Author

phillxnet commented Nov 24, 2023

To complete this issue, given it will be an ongoing endeavour, it is proposed that we present only the basic skeleton. This way we at least introduce the new service and tie it into our other existing services so that it at least exists as a beginning point to begin our AppArmor compatible journey.

I.e. We start with a place holder tied to our other services. Then we have a central place to add/adjust as and when needed. This initial placeholder is the proposed purpose of this issue.

@phillxnet phillxnet added this to the 5.1.X-X Stable release milestone Nov 24, 2023
@phillxnet
Copy link
Member Author

It is proposed that we now consider this issue as part of our next testing phase: there are simply too many basic changes that will need a lot of field testing to ensure no regressions. Removing from current Stable Release Milestone as a result.

Not also that our upstream, and that ultimately of Leap 16's, slowroll, may now be moving more in the direction of SELinux:
https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/message/WBQGFYUTE4NJLL5JNK5NQSN5OXXWP5QM/

SUSE will be moving to SELinux over time. I can't speak for the openSUSE
project overal, but everything we consume from SUSE will use SELinux going
forward, so I expect that openSUSE will head in a general direction.

Quote from above url by: Johannes Segitz

Thanks to @FroggyFlox for this link. And we may, with this info, transition this issue to an SELinux orientated one.

@phillxnet
Copy link
Member Author

Closing as superseded by: #2884

"Establish SELINUX compatibility" #2884

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant