https://bugzilla.novell.com/show_bug.cgi?id=757271 https://bugzilla.novell.com/show_bug.cgi?id=757271#c9 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |bruno@ioda-net.ch --- Comment #9 from Christian Boltz <suse-beta@cboltz.de> 2012-05-09 20:58:00 CEST --- Bruno and Arjen, can you please test the profiles from the previous comment and provide feedback (and your audit.log)? (In reply to comment #6)
That may be a disaster waiting to happen. This means that if a patch is released for a security problem in Dovecot, there is no guarantee whatsoever that the AppArmor profiles will be updated if necessary. Apparently, apparmor-profiles is not part of the release process of a package (otherwise the missing Dovecot 2.0 profiles would have been spotted earlier on).
Technically, they are separate packages, yes. OTOH I doubt that having them in the same package would change much. The real issue is _testing_, which some package maintainers obviously don't do too much. I'm also testing as much as possible, but I can't test all profiles myself.
I have been blissfully unaware of this so far, but now I'm starting to doubt if the added security AppArmor provides, is worth the risk of breaking the package it is supposed to protect.
I'd say yes. You'll notice it quickly if a package is "broken" by AppArmor, but it might take some time (worst case: some days or even weeks) to notice if you were hacked if the hacker knows how to hide himself. Besides that, updating the AppArmor profile is much easier than cleaning up behind a hacker ;-)
I've already seen several occasions in the past few months, where Dovecot stopped working because of insufficient rights granted to it.
Then I could argue that you were late with your bugreport ;-) but the good thing is that you reported it. We are on the way to get it fixed :-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.