Appreciate your input Christian. Kernel keyring does not touch file system at all, so in this case the AppArmor profiles can be simplified. I just wrote in my check list to remember to test dovecot. Regards, Howard On Thu, 14 Jan 2016, Christian Boltz wrote:
At least for winbindd, I tend to disagree (winbindd probably overrides the location). According to the AppArmor profile, we have
2328 apparmo | /tmp/krb5cc_* rwk,
- updates for samba 4.x and kerberos (bnc#846586#c12 and #c15, bnc#845867, bnc#846054)
2461 apparmo | /var/cache/krb5rcache/* rw,
- allow rw access to /var/cache/krb5rcache/* (bnc#870607)
Please check if winbind still works with AppArmor enabled after changing to the kernel keyring. (In other words: does using the kernel keyring need access to something in /proc/, /sys/ or /dev/?)
I don't know or use Kerberos (actually I don't even use Samba anymore, but at least know it a bit), therefore I can't test myself.
A similar question applies for dovecot, which can also use Kerberos. For more details, see the usr.lib.dovecot.auth AppArmor profile and https://bugzilla.novell.com/show_bug.cgi?id=851984
Some testing if Dovecot (with Kerberos configured) still works when using the kernel keyring would be welcome ;-) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org