Bug 2406130
| Summary: | Review Request: libapparmor - library for the userspace of the AppArmor LSM | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Ryan Lee <ryan.lee> |
| Component: | Package Review | Assignee: | Neal Gompa <ngompa13> |
| Status: | ASSIGNED --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | maciek.borzecki, me, ngompa13, package-review |
| Target Milestone: | --- | Keywords: | AutomationTriaged |
| Target Release: | --- | Flags: | ngompa13:
fedora-review?
|
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://gitlab.com/apparmor/apparmor/ | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 177841 | ||
|
Description
Ryan Lee
2025-10-23 21:25:42 UTC
Copr build: https://copr.fedorainfracloud.org/coprs/build/9726417 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2406130-libapparmor/fedora-rawhide-x86_64/09726417-libapparmor/fedora-review/review.txt Please take a look if any issues were found. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string. Taking this review. This whole spec probably should be rewritten. Even the openSUSE spec is slightly bad here.
Initial notes:
* The source package name should be "apparmor", not "libapparmor".
* The python bcond should be dropped, there is no case where it would be disabled
* We do not follow openSUSE SLPP, so the library subpackage would be "libapparmor"
* Group tag lines need to be deleted
* Zypp-specific weird split Provides need to be deleted
* Subpackage interdependencies need to be tightened to "= %{version}-%{release}" rather than the weaker "= %{version}"
* Superfluous Requires on python3 should be dropped
Additionally, I'm pretty sure the apparmor source package provides quite a lot more than just libapparmor, you should endeavor to build out everything from the source package that you can.
However, let me address this one point:
> Moreover, once LSM stacking becomes available in the kernel, it would also be useful to allow AppArmor and SELinux to be used simultaneously.
It is extremely unlikely we will enable AppArmor in Fedora for LSM stacking. Getting the policies to work properly with both will be a nightmare and it is not worth the pain.
Hey Neal, thank you for taking the review. One point on LSM stacking. This will be very useful for one other reason: it would allow running apparmor policy inside a container. A Fedora system can then load vanilla Debian container and with stacking enabled, do the usual podman selinux MCS setup, and with an apparmor namespace in the container, load policies that would apply regular Debian apparmor behaviour for the workload running there. My point is that this is not about putting AppArmor policy on top of fedora, but having the tools available so that containerised workloads can benefit from stronger security. By the nature of LSM stacking, the whole stack has to agree for something to be effectively allowed. Given how poor MCS security is inside a typical podman container (everything is just flat there, per container), it would provide meaningful improvement without any complexity on the host. |