-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday, 2013-11-08 at 13:41 +0100, Christian Boltz wrote:
Now that I think, the yast apparmour wizard has disappeared, so it is more difficult to adjust profiles.
Hmm, I didn't check the YaST module for a long time (I never use it), but the changelog says you are right:
* Mo Aug 19 2013 jreidinger@suse.com - fix broken dialog in edit profiles - drop reporting and profile generation tools (FATE#308684,308683)
Needless to say that both FATE entries are non-public :-( which means I don't know any details why this was done. The only thing I know is that the changelog entry is partly wrong - the "reporting" part was already disabled in 2011 because of upstream changes.
In the remaining part, I even found a crash :-( (-> bug 849571)
Mmm.
That said - you don't need YaST to update the profiles ;-) - the commandline tools work as good as always.
To update an existing profile, run aa-logprof It will ask you in the same way YaST did, the only difference is that you need to use your keyboard instead of your mouse ;-)
I'll try... never used those, as far as I remember.
New profiles can be created with aa-genprof.
Note: the profile only covers the binary, not the wrapper script.
Which is that?
That's easy to find out ;-)
# which acroread # ls -l `which acroread` (and then follow the symlink)
Ah, ok, I understand. cer@Telcontar:~> file /usr/lib/Adobe/Reader9/bin/acroread /usr/lib/Adobe/Reader9/bin/acroread: POSIX shell script, ASCII text executable I didn't realise there was a script involved. And the script is provided by openSUSE, because I see refrences to bugzillas in it. So, in order to install adobe from "upstream", I would still need to keep the script from a previous install. :-( Hum... the script says copyright be Adobe... I don't understand.
Or just run aa-genprof acroread to create a profile ;-) Note: AFAIK the wrapper script uses LD_PRELOAD when starting the real binary, which means you should _not_ clean the environment when the binary is executed ("px" instead of "Px" in the profile)
Mmmm.
That all said: The most secure solution is of course to use a maintained PDF reader like Okular, but if you really _have to_ use acroread for some reason, it's more secure (or should I say less exploitable with an AppArmor profile.
Oh, yes. I seldom use acroread, in fact.
If the danger is in the Firefox plugin, for instance, that can be removed with less trouble.
Indeed, just zypper rm acroread-browser-plugin
I'd strongly recommend to do that (guess who split off this subpackage, and why... ;-)
No idea...
You can blame me for the subpackage ;-)
:-) - -- Cheers, Carlos E. R. (from 12.3 x86_64 "Dartmouth" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlJ86GEACgkQtTMYHG2NR9XRzwCfdUWSFUBdgfO1deRRrhufHN0f oG8An1opSXtIIl0Be6tqMDip9iYYx1KK =QMYA -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org