[MDEV-25310] investigate: Apparmor on SLES Created: 2021-03-31  Updated: 2023-04-27

Status: Open
Project: MariaDB Server
Component/s: None
Fix Version/s: 10.4, 10.5

Type: Task Priority: Major
Reporter: Timofey Turenko Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None


 Comments   
Comment by Timofey Turenko [ 2021-03-31 ]

task:

  • find out which security framework is a default in SLES
  • investigate which security policy should be added to MariaDB sles packages
  • plan the tests for Apparmor/SeLinux/Smack
Comment by Alexey Bychko (Inactive) [ 2021-04-21 ]

SUSE confirmed that selinux is unsupported. we need to use apparmor instead

Comment by Alexey Bychko (Inactive) [ 2021-04-21 ]

serg we have this for apparmor

Comment by Alexey Bychko (Inactive) [ 2021-04-29 ]

good reading https://documentation.suse.com/sles/11-SP4/single-html/SLES-apparmor-quick/index.html

Comment by Alexey Bychko (Inactive) [ 2021-04-29 ]

https://documentation.suse.com/sles/15-SP1/html/SLES-all/cha-apparmor-support.html

Comment by Sergei Golubchik [ 2021-04-30 ]

is it possible to have the same apparmor profile for SLES and Debian/Ubuntu?
If not — may be differences are minor and can be parametrized?

Comment by Alexey Bychko (Inactive) [ 2021-04-30 ]

from what I see - the syntax is quite similar to selinux. I'd say yes, it can be generated from some template

Comment by Alexey Bychko (Inactive) [ 2021-05-14 ]

my vision on this:

1 - the issue is debian paths in apparmor profile. the file itself should be complete (if no - it may be taken again from ubuntu/debian).
2 - some template files may be processed by cmake to generate the correct profile, but we don't use cpack for debian builds. as a solution - we can generate both deb and sles variants at source tar step and check during build if files are already generated (to handle git/srctar builds)

Comment by Alexey Bychko (Inactive) [ 2021-11-18 ]

started looking at apparmor on sles-15.

first and maybe most significant - all applications are running in unconfined mode by default if no profile is present.
profile should be created to restrict potentially vulnerable applications to protect the system and environment. without loaded profile - no restrictions will be applied.

second. usr.sbin.mysqld profile is present in the repos and can be installed from apparmor-profiles package. but in higher server versions binary name is mariadbd and it means it won't be restricted by system mysqld profile and will run in unconfined mode. btw - sshd server on sles-15 is running in unconfined mode too.

it all means that missing profile doesn't prevent end user from something. so, the goal of porting apparmor profile to suse/sles may be defined as "restrict server to prevent abnormal actions".

I created simple profile for mariadbd and tried to find a way to catch some apparmor logs or just see some denied actions - no success so far, everything works fine. I'm going to run full mtr for it next, if no success - need to test at least galera cluster, similar to selinux.

Generated at Thu Feb 08 09:36:44 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.