Hello, Am Freitag, 7. Oktober 2011 schrieb Tim Edwards:
I might have read your post wrong but are you saying that Apparmor willl, by default, break the file/folder sharing feature built into KDE?
In theory it could. Practise is (as usual) different - the default profile allows sharing the home directories. This means: if you share something in your home directory, everything will work. The only thing that will not work with the default profile is sharing a directory outside your home directory (for example /tmp), but I'd say that's an acceptable restriction because most people won't share /tmp ;-) Let me ask the other way round: did you ever hit an apparmor restriction when sharing a folder in KDE?
This IMHO is completely wrong, you don't enhance security by simply breaking features, especially the most user-facing ones that are there in the GUI.
I couldn't agree more - and that's the reason why we don't have a profile for firefox by default. Basically all programs with a "save as..." menu item are impossible to profile because you never know where a user wants to store his files. Well, you could allow write access everywhere, but that doesn't really bring a security improvement. The secure option for firefox would be to allow write access only to ~/downloads (and nowhere else). However that's something that isn't acceptable for a default profile.
IIRC Redhat was very careful not to deploy profiles for services in SELinux until they were well tested and work.
SELinux is a slightly ;-) different beast and much more complex AFAIK (did you ever compare an apparmor profile to a SELinux profile?). Nevertheless I'm quite sure they had some incomplete profiles because behaviour of many programs depends heavily on config options, and you never get everything in the first attemp.
Putting half-working profiles in Apparmor is not the way to go, otherwise soon 'Disable Apparmor' will become part of the standard troubleshooting advice on the Opensuse forum.
It isn't yet? That's good news and shows that the default profiles use sane rules ;-) Besides that, the default advice in this case should be "check /var/log/audit/audit.log and open a bugreport if needed". Gruß Christian Boltz --
Can I get some more info from the machine? 'dmesg', 'cat /proc/bus/input/devices', etc ... Sorry, there's no command calles "etc" on my machine... ;-) [Rasmus Plewe on https://bugzilla.novell.com/show_bug.cgi?id=176022] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org