Creating a bug report/issue
Required Information
- DietPi version | 6.25.x
- Distro version | Buster
- Kernel version | ?
- SBC device | Native PC (UEFI) -> Z83-II mini pc
Additional Information (if applicable)
- Software title | All
- Was the software title installed freshly or updated/migrated? Migrated from Stretch
- Can this issue be replicated on a fresh installation of DietPi? Have not tried that yet
Steps to reproduce
Migrate from Stretch to Buster by updating sources and running apt-get update && apt-get upgrade && apt-get dist-upgrade
Expected behaviour
You should end up with a full fletched Buster install with all new features such as AppArmor enabled?
Actual behaviour
It seems that if i upgrade from an excisting Dietpi Stretch installation to Buster I dont get Buster features like AppArmor installed/enabled by default like it should with Buster? Is this on purpose or a bug?
And what happens when or do I need to install a fresh Buster using
https://dietpi.com/downloads/images/DietPi_NativePC-UEFU-x86_64-Buster.7z?
So main question is if a fresh install or migrate give different results and how to get a Dietpi Buster with features like AppArmor etc enabled
GvY85
All 4 comments
@GvY85
Many thanks for your report.
DietPi is no fully fledged Debian Buster, but it comes very lightweight, so that you need to install certain features, like AppArmor, manually. But that should be easy via APT and we might consider to add it to DietPi-Software as well, since some things need to be adjusted, to e.g allowing a symlink for MariaDB database files to dietpi_userdata for easier external drive transfer.
MichaIng
on 31 Aug 2019
Aha, so it is a deliberate thing. Good to know.
Then perhaps indeed it would be nice to add it to Dietpi-Software. It seems like a nice feature
GvY85
on 31 Aug 2019
On the other hand: since it is automatically turned on on a regular or minimal Buster and seem lightweight perhaps it should be default on with Dietpi as well? To not skimp on security?
GvY85
on 31 Aug 2019
To collect some info: https://packages.debian.org/buster/apparmor-utils
- Available on all distro versions
- Depends on Python 3
- Known is that builtin MariaDB rules need to be adjusted to allow database symlink which we place by default. Other software titles might need rework as well, either the way we install it or the AppArmor rules.
I am still not 100% sure about doubled features with systemd access and security settings. Once can limit access to certain general or special directories, on file-access basis via run user anyway and limit kernel/device capabilities as well. So at first we will ship it as optional install only, marked as experimental/beta to allow intensive testing with out software installs, before shipping it as fully DietPi compatible. Only if there is any real benefit (security-wise) over simply using stricter systemd unit settings, we might implement it as regular part of DietPi images.
I will add it to the v6.27 milestone, as we need to get the already delayed v6.26 release ready.
MichaIng
on 31 Aug 2019
Related issues
Fourdee
路
3Comments
Kapot
路
3Comments
and09
路
3Comments
MichaIng
路
3Comments
bhaveshgohel
路
3Comments
Most helpful comment
To collect some info: https://packages.debian.org/buster/apparmor-utils
I am still not 100% sure about doubled features with systemd access and security settings. Once can limit access to certain general or special directories, on file-access basis via run user anyway and limit kernel/device capabilities as well. So at first we will ship it as optional install only, marked as experimental/beta to allow intensive testing with out software installs, before shipping it as fully DietPi compatible. Only if there is any real benefit (security-wise) over simply using stricter systemd unit settings, we might implement it as regular part of DietPi images.
I will add it to the v6.27 milestone, as we need to get the already delayed v6.26 release ready.