http://bugzilla.opensuse.org/show_bug.cgi?id=991901 http://bugzilla.opensuse.org/show_bug.cgi?id=991901#c7 --- Comment #7 from Noel Power <nopower@suse.com> --- (In reply to Christian Boltz from comment #6)
This is an interesting[tm] topic.
I discussed this with the upstream AppArmor developers, and they didn't like the idea to deny a capability because systemd is doing silly things (I have to admit that this summary is slightly exaggerated ;-)) So if we include this patch, it will most probably be a non-upstreamable patch forever.
The main problem is: If one day samba really needs the net_admin capability, we will get reports about strange failures without any log entry (because "deny" silences the logging) and, worse, angry users ;-)
The correct fix here is to fix systemd so that it does not accidently cause a request for capability sys_admin (see comment #2 for details) for lots of daemons. Note that I've noticed similar capability requests for other daemons, for example apache.
I get the point of some maybe future issue about lack of corresponding log entry for a net_admin cap issue, I think it will affect development debugging rather than users though. Keeping this out of Factory probably makes sense. It remaining in SLE I don't think is a big deal, we can think about removing this if it causes an issue. However this just reminds me about the fact that we (e.g. SLE) still use this cobbled together old version of apparmor. It makes no sense IMHO (unless there is some real genuine difference, Christian do you know?) Because apparmor affects so many processes I don't know if it would be acceptable to change to the newer version mid SP2 but for SP3 we should really fix this( not sure how that should happen maybe FATE or some other mechanism) -- You are receiving this mail because: You are on the CC list for the bug.