Hello, FYI: apparmor packages with caching enabled are just building in security:apparmor:factory and also submitted to Factory (SR 87208). Am Freitag, 7. Oktober 2011 schrieb Tim Edwards:
On Friday, October 07, 2011 1:28 PM, "Christian Boltz" wrote:
Let me ask the other way round: did you ever hit an apparmor restriction when sharing a folder in KDE?
I'm not sure why but I could never get it working on 11.4, I ended using fish:// in dolphin instead since I only need to transfer files to my netbook occasionally.
Maybe the failure was/is on the samba side - if I understood Lars' mail correct, it's broken at least in samba 3.6. But fish:// is the better choice anyway ;-)
Apparmor definitely did break my simple local-users only Dovecot setup though, and the bug I raised was closed as fixed even though it wasn't for me.
I guess you are talking about https://bugzilla.novell.com/show_bug.cgi?id=681267 I don't have the 11.4 profiles here at the moment (I'm using factory), so I can't check it right now. But I'll help you to solve the problems you see ;-) First check if you are using the profiles from the apparmor-profiles package or modified (maybe outdated) profiles: rpm -V apparmor-profiles If you see anything related to dovecot in the output, please mv /etc/apparmor.d/*dovecot* /some/where/ zypper in -f apparmor-profiles rcapparmor reload If you still see problems, please - switch the dovecot profiles to complain mode: aa-complain /etc/init.d/*dovecot* - run dovecot for some time - open a new bugreport and attach your audit.log. You can also test with the latest upstream profiles. The easiest way to get them is installing the apparmor-profiles package from security:apparmor:factory. I never tested if updating only the profiles works dependency-wise - if rpm complains, it should be safe to use --nodeps in this case. (OTOH, updating to all packages from security:factory:apparmor will give you some more bugfixes compared to the version on 11.4.) Afterwards make sure that you really have the latest profiles: rpm -V apparmor-profiles should not print anything related to dovecot. If you want to update the profiles yourself, run aa-logprof Nevertheless please open a bugreport with audit.log attached.
Maybe, but after my experience with dovecot I got the impression that the Apparmor profiles weren't widely tested and were bitrotting. Maybe that's changed recently though.
The problem is that many programs behave different depending on their configuration and usage, which makes it hard to create a perfect profile. To give you an example: traceroute (which is a quite simple program when compared to dovecot) had a good profile. Well, except if you used the -I flag... (see bug 685674) But this example also shows that the profiles are not bitrotting ;-)
Besides that, the default advice in this case should be "check /var/log/audit/audit.log and open a bugreport if needed".
It's not exactly user friendly. Can't it use the desktop notification thing (whatever it's called) to pop-up a notification when it blocks something?
aa-notify isn't started by default. If you want to use it, run sudo DISPLAY=$DISPLAY /usr/sbin/aa-notify -p Unfortunately aa-notify is slightly broken in 11.4. If you want to use it, run chmod 750 /var/log/audit or install the packages from security:apparmor:factory. Factory already contains the working version. BTW: the need for handing over $DISPLAY is caused by the very secure sudo config in openSUSE - it resets most environment variables. Maybe I get a more user-friendly way implemented upstream, but I'm afraid you'll always have to hand over $DISPLAY (or $DBUS_SESSION_BUS_ADDRESS) to aa-notify. Yes, I'm aware that this isn't a perfect solution, but it's the best I can offer for 12.1. Regards, Christian Boltz --
btw: Entnehme ich Deinen Worten, daß XP und Sicherheit in irgendeiner Weise eine Verbindung eingehen können? Klar können sie. eine logische XOR-Verbindung. [U. Ohse und S. Posner in dasr]
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org