https://bugzilla.novell.com/show_bug.cgi?id=724829 https://bugzilla.novell.com/show_bug.cgi?id=724829#c3 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|suse-beta@cboltz.de | --- Comment #3 from Christian Boltz <suse-beta@cboltz.de> 2011-10-21 14:09:34 CEST --- My system is far from a default installation, so I don't know exactly which daemons are running by default nowadays. You'll have to compare the list of daemons running by default with the profiles in /etc/apparmor.d/ yourself ;-)
From the things Ludwig mentioned: usr.sbin.avahi-daemon has a profile. usr.sbin.nscd and usr.sbin.ntpd are also things that are started by default IIRC and are protetected by AppArmor.
Of course I use all profiles that are installed by default on my system and everything works - so AppArmor won't "bug joe user with that" ;-) It just sits in the background and adds some additional security. The desktop notification works (it's not a tray applet/icon anymore - it uses /usr/bin/notify-send). You can start it with sudo /usr/sbin/aa-notify -p --display $DISPLAY BTW: the usr.sbin.smbd profile is now even automatically updated based on your shares in smb.conf. Now to the more interesting[tm] things you asked: The problem with firefox and acroread is that they have "save as..." and "open..." in their file menu. This means that I'd have to give them read and write permissions to (more or less) the whole filesystem, which makes having a profile quite pointless. The only thing that would be possible without restricting users would be a set of deny rules where I could blacklist read access to ~/.gnupg and ~/.ssh - but such a blacklist would never be complete. To make the firefox profile really secure, a restriction like "downloads can only be stored in ~/Downloads/" would be needed. That's exactly what the firefox profile in /etc/apparmor/profiles/extras/ does, and it's also the reason why this profile isn't enabled by default. Flash could be easier because it doesn't have "save as..." and "open..." - but I'm not sure at which point between browser and flash a profile could attach. (Does flash run as a standalone process? What's the name of the binary?) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.