Hello, if I understood it correctly the AppArmor version 1.2 of SUSE 10.0 does not allow to create new profiles with the Add Profile Wizard. But when I played with it I found out the command line tool "genprof" actually does allow to generate a new profile and genprof is nothing else than the Yast Wizard, is this right? So I actually can add a new profile using genprof, but just not using the Yast Wizard? BTW, are there Novell/OpenSUSE sites that offer new profiles for download? Thanks Malte
On Sunday 30 April 2006 20:21, Malte Gell wrote:
Hello,
if I understood it correctly the AppArmor version 1.2 of SUSE 10.0 does not allow to create new profiles with the Add Profile Wizard.
But when I played with it I found out the command line tool "genprof" actually does allow to generate a new profile and genprof is nothing else than the Yast Wizard, is this right? So I actually can add a new profile using genprof, but just not using the Yast Wizard?
My mistake... genprof /opt/kde3/bin/kaffeine worked, whereas genprof /usr/local/bin/xine does not and refuses as expected to create a new profile. It seem to depend where the executable is located if AppArmor 1.2 refuses to add a new profile. Interesting...
On Sun, Apr 30, 2006 at 08:43:22PM +0200, Malte Gell wrote:
On Sunday 30 April 2006 20:21, Malte Gell wrote:
Hello,
if I understood it correctly the AppArmor version 1.2 of SUSE 10.0 does not allow to create new profiles with the Add Profile Wizard.
But when I played with it I found out the command line tool "genprof" actually does allow to generate a new profile and genprof is nothing else than the Yast Wizard, is this right? So I actually can add a new profile using genprof, but just not using the Yast Wizard?
My mistake... genprof /opt/kde3/bin/kaffeine worked, whereas genprof /usr/local/bin/xine does not and refuses as expected to create a new profile. It seem to depend where the executable is located if AppArmor 1.2 refuses to add a new profile. Interesting...
Just use the one from 10.1 then, it is unrestricted. Ciao, Marcus
On Sunday 30 April 2006 21:07, Marcus Meissner wrote:
Just use the one from 10.1 then, it is unrestricted.
Thanx for the hint. 10.0 and 10.1 use different kernels, does the 10.0 kernel work flawlessly with AppArmor2 from 10.1 or does AppArmor2 come with a new kernel module? Thanx and Regards Malte
On Sun, Apr 30, 2006 at 09:23:00PM +0200, Malte Gell wrote:
On Sunday 30 April 2006 21:07, Marcus Meissner wrote:
Just use the one from 10.1 then, it is unrestricted.
Thanx for the hint. 10.0 and 10.1 use different kernels, does the 10.0 kernel work flawlessly with AppArmor2 from 10.1 or does AppArmor2 come with a new kernel module?
I dont know I am afraid. I will bring up if we can un-restrict the 10.0 version via YOU. Ciao, Marcus
On Sunday 30 April 2006 21:31, Marcus Meissner wrote:
On Sun, Apr 30, 2006 at 09:23:00PM +0200, Malte Gell wrote:
On Sunday 30 April 2006 21:07, Marcus Meissner wrote: Thanx for the hint. 10.0 and 10.1 use different kernels, does the 10.0 kernel work flawlessly with AppArmor2 from 10.1 or does AppArmor2 come with a new kernel module?
I dont know I am afraid.
I will bring up if we can un-restrict the 10.0 version via YOU.
That woul be really great, thanks! AppArmor really is a cool thing, other operating systems can only dream of something like this ;-) Malte
Malte Gell wrote:
On Sunday 30 April 2006 21:31, Marcus Meissner wrote:
I will bring up if we can un-restrict the 10.0 version via YOU.
That woul be really great, thanks! AppArmor really is a cool thing, other operating systems can only dream of something like this ;-)
To un-restrict AppArmor 1.2 in SUSE Linux 10.0, place the attached file darix.pem into /etc/apparmor/certs/ and it'll unlock the whole mess. What's going on: AppArmor 1.2 in SL10.0 has an evil DRM hack in it so that it will only generate profiles for pathnames that SUSE has signed for. This was as open as we could make it at the time that SL10.0 had to ship last fall, before we had permission to open source AppArmor. My apologies to everyone in inconvenienced. The darix.pem key signs for everything, so you can profile any program you want, which makes SL10.0 function just as if it had unrestricted AppArmor. This should be less disruptive than trying to use AA from SL10.1. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com -----BEGIN CERTIFICATE----- MIIDkjCCAnygAwIBAgIBATALBgkqhkiG9w0BAQUwWjELMAkGA1UEBhMCVVMxEzAR BgNVBAoTCk5vdmVsbCBJbmMxDTALBgNVBAsTBFN1U0UxFjAUBgNVBAgTDU1hc3Nh Y2h1c2V0dHMxDzANBgNVBAMTBk5vdmVsbDAeFw0wNTA5MDkyMTA1MDRaFw0xMDA5 MDgyMTA1MDRaMFoxCzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpOb3ZlbGwgSW5jMQ0w CwYDVQQLEwRTdVNFMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMQ8wDQYDVQQDEwZO b3ZlbGwwggEfMAsGCSqGSIb3DQEBAQOCAQ4AMIIBCQKCAQCuH1m9hvQi2AppTsYo CG67l8PSWdVksBIYleijuJmebWZEH7fFiTSd98E5pXpjm0NKvNbwXgmeOIZZD+QO TkbRD6M4jnmdEqY7oXM2z6IRXByoWj+aLEY57HS7jsVXSHXIkW6nuFwJFJOqlbdQ 07kSslxZfMjKb/o4Z+XIoqVNYHxBZ+Rh9Qso/IDvjV4KLW8jFQZsSKBEpjzYwN4S hvJ4WQ4jLpb3BUoYm7aoTdNea+D9bFeYRAxYOMA6Yn8ZPLOFx0LsHlkWygxm7VfW E+bPct3iMHKZ9TmFJe0u8v+qMV5KjGLJndAW+jYiYfKigOK2vK+VWPmiRGyVesxu X46VAgMBAAGjajBoMBgGDGCGSAGG+DcBg3QBAQEB/wQFBAMvKiowDAYDVR0TAQH/ BAIwADAdBgNVHQ4EFgQU5MH/nLd6Sw8l2SUVDf+jJ7/xH7owHwYDVR0jBBgwFoAU m6tG7Q/SPkKPrtGatKNXDyZcvrkwCwYJKoZIhvcNAQEFA4IBAQBCCihMA9z20pis UwclgUqyzeMJg6Bs6+pShNrE5DD3WOJLWs/OuUsrYmfoYZcivYtgPqv80uFjrYYv 9PsMgHjA19BR40LUVEd545ouKIib49ID03iQGof9pMQ+ozBR5bcR5Uy4QDR2vYvo xde/McV61Fnm/Q16iQsdEZdUhoxMs2tuCdRXCA65S2+4nG+rS94krj/gpcXm2uSg YhUCfLGaWYwP7v79AeEZrFOQUpf5IpYVTFs0f6baayi9eYAXNj5kccSr6LGn+kQO lGDlLClze+kQhmiAEfQJBopalniWul2qj2YkdjkSQFBO2b0Ql52OVLsO3N4/9lM/ D8Iw0/l/ -----END CERTIFICATE-----
On Monday 01 May 2006 03:52, Crispin Cowan wrote:
To un-restrict AppArmor 1.2 in SUSE Linux 10.0, place the attached file darix.pem into /etc/apparmor/certs/ and it'll unlock the whole mess.
What's going on: AppArmor 1.2 in SL10.0 has an evil DRM hack in it so that it will only generate profiles for pathnames that SUSE has signed for. This was as open as we could make it at the time that SL10.0 had to ship last fall, before we had permission to open source AppArmor.
Thank you very much! So the restriction was a legal issue. I guess most people may have thought it had other reasons ;-) As Marcus suggested, wouldn´t it be even more nice to offer this certificate as a regular patch via YOU? Do you get any feedback from people using AA, is its use widely spread, any big names using it? Regards Malte
Hello, Am Dienstag, 2. Mai 2006 02:34 schrieb Malte Gell:
Do you get any feedback from people using AA
I'd say yes ;-) http://tinyurl.com/rwrmu (yes, that links to bugzilla - but usually nobody tells if everything simply works ;-) BTW: I agree that a YOU update removing the restrictions in 10.0 would be a very good idea. Regards, Christian Boltz -- martins@apollo:~> telnet titanic.st.bauing.tu-darmstadt.de 25 Trying 130.83.84.100... telnet: connect to address 130.83.84.100: Connection refused "titanic..." nimmt keine Mail an, vermutlich ist der Rechner untergegangen. ;-) [Martin Schmitz in suse-linux]
Christian Boltz wrote:
BTW: I agree that a YOU update removing the restrictions in 10.0 would be a very good idea.
We are trying to decide which would be better: * Issue the certificate via YOU. This imposes the least change on your systems. Least work for you, least work for us, but kinda kludgey. * Issue an updated AppArmor parser via YOU. This imposes larger changes on your system, but results in simpler software running on your systems. This is more work for you, more work for us, but is the right thing to do. But if we are going to talk about the "right thing to do", the right thing is to upgrade to SUSE 10.1 :) which has the unrestricted version of AppArmor by default. It also has some new features, and a much improved set of profiles. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com
On Sun, 07 May 2006 10:22:16 -1000, Crispin Cowan <crispin@novell.com> wrote:
We are trying to decide which would be better:
* Issue the certificate via YOU. [...] * Issue an updated AppArmor parser via YOU. [...] But if we are going to talk about the "right thing to do", the right thing is to upgrade to SUSE 10.1 :)
Thinking about server availability - servers seem to be the place AppArmor is most useful - patches that do _not_ require reconfiguration and/or manual intervention are most attractive. And with 10.1 coming soon, if you're willing to play around with your servers settings anyway, upgradeing seems doable. Just my 2ct markus
participants (5)
-
Christian Boltz
-
Crispin Cowan
-
Malte Gell
-
Marcus Meissner
-
Markus Ottenbacher