Per Jessen changed bug 1000201
What Removed Added
CC   per@computer.org
Flags   needinfo?(per@computer.org)

Comment # 2 on bug 1000201 from 
(In reply to Christian Boltz from comment #1)
> Just for the records: having AppArmor 2.8.x on SLE is not my fault ;-) - it
> was the decision of the SLE maintainers not to upgrade to 2.9 (which I
> proposed for SLE12, it would have solved quite some problems.) Also, I'm not
> the AppArmor maintainer for SLE (but help when needed).

I was unable to open a report for SLE, only for openSUSE.  Thanks for helping
with this. 

> Also, I'm surprised that the profiles were replaced - AFAIK the files in
> /etc/apparmor.d/ are packaged as "noreplace".

Maybe that was a poor guess.  I have a copy of apparmor+apparmod.d from before
I changed things:
In apparmor/profiles/extras, mlmmj-* are all dated Aug 17 2015. The symlinks
were not changed, afaict. 
So, what else might have changed to cause this issue, coinciding with the
update on 2/9 ?

> That said:
> 
> Can you please check (rpm -qf) if / which package contains the mlmmj
> profiles? 
> (The AppArmor package ships them in the "extras" directory [1] as inactive
> profiles, which means they are _not_ shipped in /etc/apparmor.d/.)
> 
> [1] that's probably /etc/apparmor/profiles/extras/ on SLE, and 
>     /usr/share/apparmor/extra-profiles/ since AppArmor 2.9.

Correct, they're in /etc/apparmor/profiles/extras/ and symlinked from
/etc/apparmor.d/

> Also, some questions about your changes:
> 
> +/usr/bin/mlmmj-bounce {
> 
> -  /var/spool/mlmmj/*/subscribers.d rwl, #
> -  /var/spool/mlmmj/*/subscribers.d/* rwl,
> +  /var/spool/mlmmj/*/subscribers.d/ r,
> +  /var/spool/mlmmj/*/subscribers.d/* r,
> 
> I like reducing permissions, still - are you sure read-only is enough here?

No, I can't be sure. Yes, -sub and -unsub have rw access, I guess -bounce will
need it too.  I've got some more updates, I'll fix that. 

> BTW: the queue and subconf directories also need a trailing slash (or can be
> removed from the profile if you don't find complaints about this in the
> audit.log ;-)

I wanted to be careful and not change too much, I don't know mlmmj at all. 

> +/usr/bin/mlmmj-sub {
> 
> Another missing trailing slash for the "text" directory (or a superfluous
> rule ;-)
> 
> After adjusting those details, please attach the full mlmmj profiles as
> tarball. Your diff doesn't cleanly apply to the upstream profiles (not too
> surprising, probably they changed in the meantime), so having the full files
> makes things easier for me ;-)

Okay, will do.

You are receiving this mail because: