Hello, on Dienstag, 26. Oktober 2010, Peter Czanik wrote:
There is one thing holding me back: AppArmor. I did not get useful help on how to be able to run external apps from syslog-ng.
Did you test with the apparmor 2.5.1 packages from security:apparmor? (not sure if Jeff has submitted them to Factory already) Assuming AppArmor works, you simply have to run aa-logprof and allow the additional permissions. The hardcore method ;-) is to manually add the rules in /etc/apparmor.d/* (in case of executing an external application, you'll need *x (ix, Px etc.) rules) - that's doable, but nothing you should recommend to every user *g*
and a README.SuSE explaining, that "to use program() data sources and/or destinations, or to use some features of SCL, one needs to disable AppArmor for syslog-ng".
If you really do this, then please add a (temporary) BuildRequires: apparmor-utils = 2.3.1 so that you get an automatic reminder when the updated AppArmor packages are in Factory ;-) Or just be optimistic and recommend to run "aa-logprof" to update the profile if someone wants to use program(). I'd say you should recommend to use child profiles (Cx) or external profiles (Px) so that the external programs get their own profile. Which of them is better depends if the program will/can be run standalone, and if it should be confined then. For example, a custom perl script to process the log entries is a candidate for Px, but you'll get very grey hair if you use Px for something like bash or sed - those are candidates for Cx. Inherit (ix) isn't the best idea from the security point of view because then the called program has all permissions syslog-ng has. Also unconfined (Ux) is a bad idea because the program will not be restricted then. Oh, and please recommend to always clean the environment... (that's Cx and Px, never use cx or px). Hmm, that said - should we have some "AppArmor in 5 minutes" guide? The most important part would be "understanding the aa-logprof questions"... I know there's a full AppArmor manual (now part of the security manual), but that's probably too long to read for "just" updating a single profile. Regards, Christian Boltz -- Auf Windows 95 laufen so ziemlich alle Spiele. Für ernsthaftes Arbeiten sollte man aber zusätzlich ein Betriebssystem installieren. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org