Mailinglist Archive: opensuse-factory (956 mails)
| < Previous | Next > |
Re: [opensuse-factory] 12.1 beta, apparmor not installed automatically
- From: Christian Boltz <opensuse@xxxxxxxxx>
- Date: Sun, 09 Oct 2011 23:28:56 +0200
- Message-id: <3624909.jkuN5tIrBS@tux.boltz.de.vu>
Hello,
Am Freitag, 7. Oktober 2011 schrieb Lars Müller:
That would make things really different - in theory I could do it in %post,
but this will become really funny on new installations (as in --root=/mnt
from rpm POV).
And all this just to save 10s on the first boot after a new installation
or an update?
There are more important things where I can spend my time on, for example
the script at the end of this mail...
c) if a profile was changed
The good thing is: apparmor_parser automatically rebuilds the cache
if a profile has been changed or added.
;-)
<BOfH> OK, so we can ignore them for now ;-) </BOfH>
testparm looks like a very good hint :-)
You mean something like this?
testparm -s 2>/dev/null | sed -n '/^[ \t]*path[ \t]*=[ \t]*[^% \t][^%][^%]*$/
s/^[ \t]*path[ \t]*=[ \t]*//p'
Basically, the sed command prints all path= lines except paths that
contain a % sign (for example %H in the [profiles] section).
It also enforces a minimum path length of 2 bytes - if someone is insane
enough to share /, he'll need to update the profile himself.
For the default smb.conf, this gives me:
/home
/home/groups
/var/tmp
/var/lib/samba/drivers
Now we need to change this to a format that AppArmor understands:
echo '# autogenerated at samba start - do not edit!'
testparm -s 2>/dev/null |sed -n '/^[ \t]*path[ \t]*=[ \t]*[^% \t]\{2,\}/ s§^[
\t]*path[ \t]*=[ \t]*\(.*\)$§\1/ rk,\n\1/** rwkl,§p'
(did I already mention that I like sed? ;-)
Result:
# autogenerated at samba start - do not edit!
/home/ rk,
/home/** rwkl,
/home/groups/ rk,
/home/groups/** rwkl,
/var/tmp/ rk,
/var/tmp/** rwkl,
/var/lib/samba/drivers/ rk,
/var/lib/samba/drivers/** rwkl,
Does this look good so far?
If yes, I can add the code needed to reload the apparmor profile (and
to avoid superfluous profile reloads if nothing was changed).
Gruß
Christian Boltz
--
[> Markus Rueckert and Bernhard Walle in opensuse-packaging]
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx
Am Freitag, 7. Oktober 2011 schrieb Lars Müller:
On Fri, Oct 07, 2011 at 03:07:27AM +0200, Christian Boltz wrote:
am Donnerstag, 6. Oktober 2011 schrieb Lars Müller:
I'll enable caching, see my reply to Coolo's mail for details.
However I don't want to package the cached files because that
might
cause funny side effects on updates (profile changed locally, but
packaged cache looks newer and such stuff).
I aggree. Packaging the cached files would be the wrog approach.
What I had in mind is forcing a (re)build of the AA cache as part of
the installation workflow. Or as part of software install.
Or with other worfs: keep it away from the boot process. Even better
have it ready when we boot.
That would make things really different - in theory I could do it in %post,
but this will become really funny on new installations (as in --root=/mnt
from rpm POV).
And all this just to save 10s on the first boot after a new installation
or an update?
There are more important things where I can spend my time on, for example
the script at the end of this mail...
There aren't so many cases when the profiles need to be rebuid:
a) After an update _if_ the location of a binary changed or one got
added.
b) Newly installed software. Then we need for the new binaries a
rebuild.
c) if a profile was changed
The good thing is: apparmor_parser automatically rebuilds the cache
if a profile has been changed or added.
This reminds me to the open issue we had discussed in the pastIndeed, I'm aware of
with
regard to Samba, YaST, AA, and newly added shares. \:
https://bugzilla.novell.com/show_bug.cgi?id=688040
The quick and easy solution would be a little script that extracts
the paths of all shares from smb.conf and writes an apparmor
profile sniplet. This script should run when starting and
reloading samba.
The downside is that it won't be aware of everything because
- you can reload samba using SWAT instead of the initscript or
systemd
I would ignore SWAT atm. We should have removed this old code from
the packages. Not only to save us the extra work we had with the
recent security update.
;-)
- it's possible to add "dynamic" shares that don't show up in
smb.conf>
(for example using the "share directory" feature in KDE)
Which utilizes "net usershare" IIRC.
"net usershare: usershares are currently disabled" is what I get on a
default install. I know, there is an easy way to enable it from
inside YaST and therefore we have to care about it.
Uhh, ahh, it's broken in 3.6 anyway.
https://bugzilla.samba.org/show_bug.cgi?id=8511
<BOfH> OK, so we can ignore them for now ;-) </BOfH>
Covering all this makes things really difficult, therefore I'd say
we should at least do the easy part (based on smb.conf) for 12.1.
That's much better than the current state and will probably cover
most usecases.
Yes.
If someone can provide a script that prints the path of all shares
in smb.conf (there are some hints about python and perl modules
to parse smb.conf in the bugreport) in the format given below
I'll then integrate it in the initscript and systemd service
file.
This is how the apparmor profile sniplet should look like:
# autogenerated at samba startup - do not edit!
/path/to/share/ rk,
/path/to/share/** lrwk,
/another/share/ rk,
/another/share/** lrwk,
Or an enhanced testparm allowing us to define which parameter(s) to
display would be nice.
testparm looks like a very good hint :-)
You mean something like this?
testparm -s 2>/dev/null | sed -n '/^[ \t]*path[ \t]*=[ \t]*[^% \t][^%][^%]*$/
s/^[ \t]*path[ \t]*=[ \t]*//p'
Basically, the sed command prints all path= lines except paths that
contain a % sign (for example %H in the [profiles] section).
It also enforces a minimum path length of 2 bytes - if someone is insane
enough to share /, he'll need to update the profile himself.
For the default smb.conf, this gives me:
/home
/home/groups
/var/tmp
/var/lib/samba/drivers
Now we need to change this to a format that AppArmor understands:
echo '# autogenerated at samba start - do not edit!'
testparm -s 2>/dev/null |sed -n '/^[ \t]*path[ \t]*=[ \t]*[^% \t]\{2,\}/ s§^[
\t]*path[ \t]*=[ \t]*\(.*\)$§\1/ rk,\n\1/** rwkl,§p'
(did I already mention that I like sed? ;-)
Result:
# autogenerated at samba start - do not edit!
/home/ rk,
/home/** rwkl,
/home/groups/ rk,
/home/groups/** rwkl,
/var/tmp/ rk,
/var/tmp/** rwkl,
/var/lib/samba/drivers/ rk,
/var/lib/samba/drivers/** rwkl,
Does this look good so far?
If yes, I can add the code needed to reload the apparmor profile (and
to avoid superfluous profile reloads if nothing was changed).
Gruß
Christian Boltz
--
got a patch?-ENOTMYJOB
[> Markus Rueckert and Bernhard Walle in opensuse-packaging]
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx
| < Previous | Next > |