On Wed, Feb 28, 2007 at 06:47:20PM +0000, Peter Bradley wrote:
Well, "going wild" may be a bit colourful :) but I somehow went from having no problem at all with Apache to having nothing but trouble - and it all turned out to be because AppArmor was (if I understand correctly how it works) denying it access to the file system. I had to use the most general glob possible in the end, because anything else fell over the next time a new, unique filename was created.
Well, hopefully you were able to find something better than /** rw, :) but yes, you have a pretty good grasp of how AppArmor works. :)
Why it should suddenly have started denying access is a complete mystery to me.
Our supplied profiles are a difficult mixture of trying to allow usual configurations to work bug-free out of the box, allowing people to make some customizations without too much trouble, and still trying to provide some level of security. It is a delicate balance, especially for something as generic as Apache. (This is one of the reasons why we moved away from turning on the Apache profile by default in future releases -- very few people leave Apache alone, so everyone's is unique, and providing any sort of meaningful security policy that fits everyone is pretty difficult.) So we provide a base one for people to copy if they wish in 10.1, 10.2, etc., and ask people to use aa-genprof or aa-logprof to customize the policy for their own use once deployed.
I'm still on 10.0. It's been so hard to get it configured how I want it that I'm a bit unwilling to upgrade - especially having seen all the problems that people have had with upgrades. I really don't want to have to do a clean install of a newer version and have to go through weeks of configuring everything (Apache, PHP, Zend IDE and Platform, MySQL + tools, etc etc).
I completely understand this sentiment. ;) I normally skip a release or two between updates, simply because I do not like to be without a usable computer for a day or two..
And please don't regard my comments as a complaint. Despite the fact that I've found 10.0 to be more flakey than any other OS I've ever installed, I still wouldn't go back to Windows. I just reckon that occasionally you have to suffer to be free :)
It's an interesting one-step-forwards, one-step-backwards, and sometimes steps to the side... Recent Linux systems seem to be flakier than the Linux I used a decade ago, but they are also far more featureful. (perhaps it is simply how I use my system that has changed.)
Now, I'm going to post this before Thunderbird crashes.
Success :) Thanks