https://bugzilla.novell.com/show_bug.cgi?id=561152 https://bugzilla.novell.com/show_bug.cgi?id=561152#c20 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |suse-beta@cboltz.de --- Comment #20 from Christian Boltz <suse-beta@cboltz.de> 2011-03-30 21:02:46 CEST --- (In reply to comment #19)
I believe we should have disabled all the apparmor profiles that don`t work for the 11.4 release by default.
Every program that can be configured by the user won't fit then because you'll always find a config that needs to access another file... Well, maybe except /bin/false and /bin/true ;-) As long as the profile fits at least 95% of the users, I'd say we should keep it.
Perhaps we find someone who can reliably test through all of them.
See above - the problems are often caused by configuration changes. Therefore I'd say heavy users of $program (who also change the config a lot) are the best testers. This also means you won't find one person that can test all profiles.
Let auditd mirror all apparmor access denial messages to the console where the program runs by default.
Interesing idea.
To me personally if I consider it again approaching to deploy SELinux does also become increasingly interesting since it now offers protection for Xorg which Apparmor does not. An in deed curcial component on every graph. desktop system. We don`t have the resources to extend Apparmor as far as this; do we?.
That's something you should ask on the apparmor@lists.ubuntu.com mailinglist where all the AppArmor developers are. (subscribe at https://lists.ubuntu.com/mailman/listinfo/apparmor ) AFAIK Jeff is the only one @Novell who works on AppArmor (beside many other things), and in the openSUSE community there isn't too much activity regarding AppArmor. Well, at least I maintain the vim syntax highlighting for the profiles and sometimes comment on planned changes on the AppArmor mailinglist - but trust me: it's a good thing that I don't touch any C code in AppArmor or elsewhere ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.