I'm aiming at starting a debate here - not solving a problem. I'm currently testing/running 10.1RC1 on a couple of systems, but the version is really less important. I've got a few changes to make to the postfix config, and frankly, apparmor keeps getting in my way. I change a transport map in main.cf, apparmor complains. I add an smtpd daemon in master.cf, app-armor complains. Novell (in the shape of Seth Arnold) have been very forthcoming with help and suggestions, which I much appreciate, but - if it wasn't for apparmor, I'd have a lot less to do. After I modify e.g. /etc/postfix/main.cf, I may need to run 'aa-genprof' as appropriate to update apparmors profile. Whether my changes necessitate an apparmor profile update I can only tell by restarting postfix, then check either /var/log/mail or /var/log/audit/* for errors. And frankly, that becomes a bit of a nuisance. Does apparmor really have to watch my every move? Is there perhaps a warning mode switch I haven't spotted? /Per Jessen, Zürich
AppArmor can be turned off. If you have problems with it - turn it off. SUSE Linux 10.0 - is the first generation of Linuxes with AppArmor included, just like Fedora Core 2 was first generation of Linuxes with SELinux included (and it was terrible bad). In my opinion this will take a year to get AppArmor to good state. (which results in SUSE Linux 10.3 - which will have good AppArmor)
Alexey Eremenko wrote:
AppArmor can be turned off. If you have problems with it - turn it off.
Yeah, I know. I did also suggest to Novell to have it turned off by default, but their reasoning was to leave it on by default to create more feedback. Which in a way makes sense, except when you have to update apparmor profiles whenever you change the slightest config. That's why I thought it might make sense if apparmor didn't see things as either black or white, but would just warn people when it detects something unexpected. Otherwise Novell will end up with zero feedback because everyone just turns it off. /Per Jessen, Zürich
On Wed, Apr 19, 2006 at 02:21:46PM +0200, Per Jessen wrote:
Alexey Eremenko wrote:
AppArmor can be turned off. If you have problems with it - turn it off.
Yeah, I know. I did also suggest to Novell to have it turned off by default, but their reasoning was to leave it on by default to create more feedback. Which in a way makes sense, except when you have to update apparmor profiles whenever you change the slightest config. That's why I thought it might make sense if apparmor didn't see things as either black or white, but would just warn people when it detects something unexpected. Otherwise Novell will end up with zero feedback because everyone just turns it off.
You can set profiles to "complain" instead of "strict" mode. foo flags=(complain) { ... stuff ... } Or use the "complain" helper program, see "man complain". Ciao, Marcus
Marcus Meissner wrote:
You can set profiles to "complain" instead of "strict" mode.
is that the "profile" menu in yast? I didn't ever understand what it's for :-) a great part of yast is undocumented :-( jdd -- http://www.dodin.net http://dodin.org/galerie_photo_web/expo/index.html http://lucien.dodin.net http://fr.susewiki.org/index.php?title=Gérer_ses_photos
On Wed, Apr 19, 2006 at 02:43:18PM +0200, jdd wrote:
Marcus Meissner wrote:
You can set profiles to "complain" instead of "strict" mode.
is that the "profile" menu in yast? I didn't ever understand what it's for :-)
a great part of yast is undocumented :-(
I am editing apparmor profiles with vi. (they are in /etc/apparmor.d/ ... ) Ciao, Marcus
Marcus Meissner wrote:
You can set profiles to "complain" instead of "strict" mode.
foo flags=(complain) { ... stuff ... }
Or use the "complain" helper program, see "man complain".
Perfect! Just what I was after. /Per Jessen, Zürich
participants (4)
-
Alexey Eremenko -
jdd -
Marcus Meissner -
Per Jessen