On Thu, Nov 05, 2015 at 01:14:18PM +0100, Carlos E. R. wrote:
On 2015-11-05 11:42, Johannes Meixner wrote:
This raises a subsequent issue:
I assume it is too complicated (or simply impossible) to have an AppArmor profile for rpm so that rpm cannot change already existing files in other packages.
Therefore "updating" third party RPMs with this profile active whould have to be done by first removing the installed third party RPM and then installing the new version of the third party RPM from scratch.
Different approach idea: install the rpm and somehow list or catch any written or changed file outside of those listed by "rpm -ql ..."
Is that possible?
I know it is possible to catch the changes with something like the seccheck scripts that run off cron, but it is heavy processing and would find also changes not done by this install.
It would not be the best thing, but knowing what has been changed would allow an administrator to revert the changes, and perhaps write an AA profile that denies those same changes, for the next run.
snapper and btrfs snapshots is made for this and can do this already;) Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org