Hello, on Dienstag, 16. August 2011, phanisvara das wrote:
On Wed, 17 Aug 2011 02:53:56 +0530, Christian Boltz wrote:
Please open a bugreport! Attach /var/log/audit/audit.log and I'm sure your problem will be solved (for you and all other users). You can CC me (I'm "suse-beta [at] cboltz DOT de" in bugzilla) in these cases - that might speed up things a bit.
i never perceived it as a bug really; just some piece of software that needs to be adjusted to what i want to run on my machine:
That isn't completely wrong, but the AppArmor profiles that are enabled by default should work with nearly all configurations. In other words: please open a bugreport ;-) Unless I miss something, AppArmor will not block any of your examples:
SSH on strange ports,
AppArmor doesn't have support to specify a TCP or UDP port number in the profile (but IIRC it was discussed and it might be possible one day), which means the sshd profile will work for all ports.
unencrypted authentication on the local network,
This also isn't / can't be blocked by AppArmor - in fact I only had problems with encrypted authentification because a program wasn't allowed to read a SSL certificate ;-)
https connection to untrusted hosts.
Are you talking about self-signed certificates and certificates not signed by an expensive certificate authority? That's something your browser might block or warn you about, but AppArmor doesn't/can't do this (and never will, because it would mean to crack the https encryption or to do a local MITM attack). It looks to that you overestimate the features of AppArmor ;-) It has a set of "network" rules, but it can't check the port number or the content of the packages sent over the network. Do you have better examples why you uninstalled AppArmor? *g*
i don't imagine apparmor will ever be able to have ready-made profiles for every thinkable configuration and use.
That might be, but the target should be to have profiles that work for most configurations. Sorry if I repeat myself, but: please open a bugreport if your configuration isn't supported.
and since i have neither plastic money, nor secrets worthwile stealing, or enough bandwidth to tempt bot nets, i rather skip the trouble that comes with added security.
Well, your choice. I hope I'll never have to say you "I told you so" ;-)) Regards, Christian Boltz --
Wenn Du so willst... make RM="rm -rf /" clean Bin ich dann für die gelöschte Festplatte verantwortlich? ;-) Du hast gerade erkannt, warum es vorteilhaft sein kann, keine Shell/ Make-Variablen zu verwenden und Dinge stattdessen hart zu codieren ;-) [> Christian Boltz und Ralf Corsepius in suse-programming] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org