Mailinglist Archive: opensuse-factory (956 mails)
| < Previous | Next > |
Re: [opensuse-factory] 12.1 beta, apparmor not installed automatically
- From: "Tim Edwards" <tkedwards@xxxxxxxxxxxxxxx>
- Date: Fri, 07 Oct 2011 14:13:46 +0200
- Message-id: <1317989626.2461.140258152115305@webmail.messagingengine.com>
On Friday, October 07, 2011 1:28 PM, "Christian Boltz"
<opensuse@xxxxxxxxx> wrote:
Hello,
Am Freitag, 7. Oktober 2011 schrieb Tim Edwards:
I might have read your post wrong but are you saying that Apparmor
willl, by default, break the file/folder sharing feature built into
KDE?
In theory it could.
Practise is (as usual) different - the default profile allows sharing
the home directories. This means: if you share something in your home
directory, everything will work.
The only thing that will not work with the default profile is sharing a
directory outside your home directory (for example /tmp), but I'd say
that's an acceptable restriction because most people won't share
/tmp ;-)
If that's how it works then fair enough, that sounds like it doesn't
actually break the feature.
Let me ask the other way round: did you ever hit an apparmor restriction
when sharing a folder in KDE?
I'm not sure why but I could never get it working on 11.4, I ended using
fish:// in dolphin instead since I only need to transfer files to my
netbook occasionally. Apparmor definitely did break my simple
local-users only Dovecot setup though, and the bug I raised was closed
as fixed even though it wasn't for me.
<snip>
IIRC Redhat was very careful not to deploy profiles for services in
SELinux until they were well tested and work.
SELinux is a slightly ;-) different beast and much more complex AFAIK
(did you ever compare an apparmor profile to a SELinux profile?).
Nevertheless I'm quite sure they had some incomplete profiles because
behaviour of many programs depends heavily on config options, and you
never get everything in the first attemp.
Maybe, but after my experience with dovecot I got the impression that
the Apparmor profiles weren't widely tested and were bitrotting. Maybe
that's changed recently though.
Putting half-working profiles in Apparmor is not the way to go,
otherwise soon 'Disable Apparmor' will become part of the standard
troubleshooting advice on the Opensuse forum.
It isn't yet? That's good news and shows that the default profiles use
sane rules ;-)
Besides that, the default advice in this case should be "check
/var/log/audit/audit.log and open a bugreport if needed".
It's not exactly user friendly. Can't it use the desktop notification
thing (whatever it's called) to pop-up a notification when it blocks
something?
Tim
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx
| < Previous | Next > |