[Bug 241948] New: Add "Glob-Deny" to aa-logprof
https://bugzilla.novell.com/show_bug.cgi?id=241948 Summary: Add "Glob-Deny" to aa-logprof Product: openSUSE 10.3 Version: unspecified Platform: Other OS/Version: Other Status: NEW Severity: Enhancement Priority: P5 - None Component: AppArmor AssignedTo: dreynolds@novell.com ReportedBy: suse-beta@cboltz.de QAContact: dreynolds@novell.com I'm just running aa-logprof and deny'ing lots of /tmp/sess* files a PHP script with broken session.save_path tried to create. I can tell you that this is an annoying thing - I could also have made this a major bug instead of enhancement because it's a DoS on the admin ;-) I'd like to propose a new feature for aa-logprof: Glob-Deny How it could work: - select a glob as usual (let's say /tmp/sess_*) - choose glob-deny (instead of deny) - aa-logprof should not ask again for files matching this path Having this feature as per-session feature of aa-logprof might be enough in case you don't want to add a blocklist syntax to the apparmor profiles. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=241948 sbeattie@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|dreynolds@novell.com |jmichael@novell.com ------- Comment #1 from sbeattie@novell.com 2007-02-05 11:12 MST ------- Thanks for the suggestion, Christian, it's a decent idea. It'd be prefereable (I think) for aa-logprof to be able to save an answer like this so that stopping and starting aa-logprof wouldn't require re-answering with the same glob-deny. It also might be useful to display which glob-denies are currently in effect, and give the administrator the option of modifying or deleting them. But perhaps what you propose would be a useful first step; what do you think. Jesse? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=241948 jmichael@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- Comment #2 from jmichael@novell.com 2007-02-25 09:12 MST ------- I think that's a good idea. I'd ultimately like to do something like sbeattie mentioned, but having it per-session wouldn't be too hard and would be a good start. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=241948 ------- Comment #3 from al4321@gmail.com 2007-04-29 14:15 MST ------- The main problem here is that AppArmor remembers only "allowed" resources, but has no way to remember the "disallowed" ones. How to address this issue ? I think we the best change the AppArmor profile in a way, that will allow explicitly writing "deny" states, like in a Firewall. -Alexey "Technologov" -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=241948 ------- Comment #4 from al4321@gmail.com 2007-04-29 15:15 MST ------- I would also rename this issue as: AppArmor Update Wizard doesn't remember denied statements -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=241948#c5 Dominic Reynolds <dreynolds@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |LATER Summary|Add "Glob-Deny" to aa-logprof |AppArmor Update Wizard doesn't remember denied | |statements --- Comment #5 from Dominic Reynolds <dreynolds@novell.com> 2007-08-20 13:13:42 MST --- Changed title - moved to enhancement - to be addressed post 10.3 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=241948 User suse-beta@cboltz.de added comment https://bugzilla.novell.com/show_bug.cgi?id=241948#c7 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|WONTFIX |FIXED --- Comment #7 from Christian Boltz <suse-beta@cboltz.de> 2008-09-08 14:15:16 MDT --- AppArmor in 11.0 supports (permanent) "deny" statements - updating the status :-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=241948 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com