http://bugzilla.suse.com/show_bug.cgi?id=1000201 http://bugzilla.suse.com/show_bug.cgi?id=1000201#c2 Per Jessen <per@computer.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |per@computer.org Flags| |needinfo?(per@computer.org) --- Comment #2 from Per Jessen <per@computer.org> --- (In reply to Christian Boltz from comment #1)
Just for the records: having AppArmor 2.8.x on SLE is not my fault ;-) - it was the decision of the SLE maintainers not to upgrade to 2.9 (which I proposed for SLE12, it would have solved quite some problems.) Also, I'm not the AppArmor maintainer for SLE (but help when needed).
I was unable to open a report for SLE, only for openSUSE. Thanks for helping with this.
Also, I'm surprised that the profiles were replaced - AFAIK the files in /etc/apparmor.d/ are packaged as "noreplace".
Maybe that was a poor guess. I have a copy of apparmor+apparmod.d from before I changed things: In apparmor/profiles/extras, mlmmj-* are all dated Aug 17 2015. The symlinks were not changed, afaict. So, what else might have changed to cause this issue, coinciding with the update on 2/9 ?
That said:
Can you please check (rpm -qf) if / which package contains the mlmmj profiles? (The AppArmor package ships them in the "extras" directory [1] as inactive profiles, which means they are _not_ shipped in /etc/apparmor.d/.)
[1] that's probably /etc/apparmor/profiles/extras/ on SLE, and /usr/share/apparmor/extra-profiles/ since AppArmor 2.9.
Correct, they're in /etc/apparmor/profiles/extras/ and symlinked from /etc/apparmor.d/
Also, some questions about your changes:
+/usr/bin/mlmmj-bounce {
- /var/spool/mlmmj/*/subscribers.d rwl, # - /var/spool/mlmmj/*/subscribers.d/* rwl, + /var/spool/mlmmj/*/subscribers.d/ r, + /var/spool/mlmmj/*/subscribers.d/* r,
I like reducing permissions, still - are you sure read-only is enough here?
No, I can't be sure. Yes, -sub and -unsub have rw access, I guess -bounce will need it too. I've got some more updates, I'll fix that.
BTW: the queue and subconf directories also need a trailing slash (or can be removed from the profile if you don't find complaints about this in the audit.log ;-)
I wanted to be careful and not change too much, I don't know mlmmj at all.
+/usr/bin/mlmmj-sub {
Another missing trailing slash for the "text" directory (or a superfluous rule ;-)
After adjusting those details, please attach the full mlmmj profiles as tarball. Your diff doesn't cleanly apply to the upstream profiles (not too surprising, probably they changed in the meantime), so having the full files makes things easier for me ;-)
Okay, will do. -- You are receiving this mail because: You are on the CC list for the bug.