[opensuse] AppArmor - SuSE 10.0
Honestly, whoever wrote this AppArmor thing must have been on drugs. After fighting with it over what Apache could do, I now find it won't let Acroread open PDF files! What's that all about? I tried adding read permissions for *.pdf into the profile, but it still won't have it. Can anyone explain how you get this thing to work? Is it best just to switch it off? Peter -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sun, Mar 25, 2007 at 06:00:31PM +0100, Peter Bradley wrote:
Honestly, whoever wrote this AppArmor thing must have been on drugs.
Thanks :) The AppArmor in 10.0 is unfortunate. It was hastily assembled shortly after Novell acquired Immunix, and hadn't yet figured out a business model. So the 10.0 version can only profile a handful of applications. AppArmor in newer distributions is significantly less stupid.
After fighting with it over what Apache could do, I now find it won't let Acroread open PDF files! What's that all about? I tried adding read permissions for *.pdf into the profile, but it still won't have it.
Can anyone explain how you get this thing to work? Is it best just to switch it off?
My best guess (without seeing your chages) is that you wrote something like: /*.pdf r, into the profile. '*' will not traverse directories, so this would only read pdf files stored in the filesystem root. /**.pdf r, would let your acroread read any PDFs anywhere. Once you get tired of hand-editing profiles and re-loading profiles on each change, give our wizards a shot. In one terminal, as an unconfined root user, run: genprof acroread Then start up acroread, use it a bit, close it. Then hit the 'scan' button, answer a few questions (keeping in mind the difference between '*' and '**') and when you click 'finish', you'll be good to go. There's also a yast version of this, something like "Novell AppArmor".. Hope this helps
Ysgrifennodd Seth Arnold:
On Sun, Mar 25, 2007 at 06:00:31PM +0100, Peter Bradley wrote:
Honestly, whoever wrote this AppArmor thing must have been on drugs.
Thanks :)
Sorry. I think I was in hysterical overstatement mode.
The AppArmor in 10.0 is unfortunate. It was hastily assembled shortly after Novell acquired Immunix, and hadn't yet figured out a business model. So the 10.0 version can only profile a handful of applications.
AppArmor in newer distributions is significantly less stupid.
Glad to hear it. And thanks for the tips. I'll follow your advice and I'm sure it'll sort itself out. Cheers Peter -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Ysgrifennodd Seth Arnold:
<snip /> My best guess (without seeing your chages) is that you wrote something like:
/*.pdf r,
into the profile.
'*' will not traverse directories, so this would only read pdf files stored in the filesystem root.
/**.pdf r,
would let your acroread read any PDFs anywhere.
Thanks, but it looks like I spoke too soon in my previous post. If I try the profile wizard, I now get an error message saying: "/etc/subdomain/usr.X11R6.bin.acroread contains syntax errors" When I click OK, the Wizard closes. Rinse and repeat. If I click "Edit Profile", nothing happens. If I click "Delete Profile", nothing happens. Is there any way I can sort this out by hand? I'd better stop now before I go into overstatement mode again. Peter -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hi Peter, +++ Peter Bradley [27/03/07 19:06 +0100]:
Ysgrifennodd Seth Arnold:
<snip /> My best guess (without seeing your chages) is that you wrote something like:
/*.pdf r,
into the profile.
'*' will not traverse directories, so this would only read pdf files stored in the filesystem root.
/**.pdf r,
would let your acroread read any PDFs anywhere.
Thanks, but it looks like I spoke too soon in my previous post. If I try the profile wizard, I now get an error message saying:
"/etc/subdomain/usr.X11R6.bin.acroread contains syntax errors"
Can you attach this file so we can look at it and identify the problem? Also is that what the error says? I would have expected this to come from /etc/subdomain.d. Thats where the file usr.X11R6.bin.acroread should reside (at least the one that contains a AppArmor loaded profile). This could be a problem with the error message we are presenting in this case. If the error does indeed give that path I would still like to see: /etc/subdomain.d/usr.X11R6.bin.acroread As that is what should be getting loaded.
When I click OK, the Wizard closes. Rinse and repeat.
If I click "Edit Profile", nothing happens. If I click "Delete Profile", nothing happens. Is there any way I can sort this out by hand?
There are improvements in this area from openSUSE 10.2 to identify syntax errors and provide you better feedback (at least a dialog with a list of bad files) - as opposed to not running the wizards in yast at all if the profiles can not be loaded for some reason. At the point you are at (syntax errors in the profiles) you will need to correct them and reload the profile set before running the wizards again. Attaching the profile should let us identify what the problem is and get you an updated version that you can drop back into /etc/subdomain.d/.
I'd better stop now before I go into overstatement mode again.
Peter
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
dominic -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Ysgrifennodd Dominic Reynolds:
Hi Peter,
Hi Dominic
Can you attach this file so we can look at it and identify the problem?
Just to prove I'm not totally useless (almost totally, but not entirely), I've fixed it. See below.
Also is that what the error says? I would have expected this to come from /etc/subdomain.d. Thats where the file usr.X11R6.bin.acroread should reside (at least the one that contains a AppArmor loaded profile). This could be a problem with the error message we are presenting in this case. If the error does indeed give that path I would still like to see:
/etc/subdomain.d/usr.X11R6.bin.acroread
As that is what should be getting loaded.
Yes. You're right. Transcription error. Sorry.
There are improvements in this area from openSUSE 10.2 to identify syntax errors and provide you better feedback (at least a dialog with a list of bad files) - as opposed to not running the wizards in yast at all if the profiles can not be loaded for some reason.
At the point you are at (syntax errors in the profiles) you will need to correct them and reload the profile set before running the wizards again.
OK. Putting 2 and 2 together, and for once in my life making 4 (ish), I opened the file and corrected the *.pdf r line to read /**.pdf r as suggested by Seth. This seems to have fixed it. Your asking for the file made me look at it, of course - and I thought it'd be worth making that one change. Luckily, it appears to have worked. I still can't imagine how the application could cheerfully squirrel away a syntax error without squawking. I would have had serious words with my team if they'd done that. :) Anyway, one good thing is that at least having problems is educational. I'll know where to look next time: and Seth's last post was, of course, extremely helpful. Just in case, I actually looked in the manual that came with my SuSE 10.0 boxed set - since I've advised people to RTFM enough times myself - but I couldn't find any mention of AppArmor. Bit of an oversight, don't you think? Especially with an application that takes it into its head every now and then to start putting the barriers up for no good reason that I can see. Still, as I say, an educational experience. Thanks for the help. Honestly. :) And yes, OK, if I'd just upgrade... But it's taken me so long to get this version set up as I want it, I just can't face the hassle. Not for a year or so, anyway. Peter -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tue, Mar 27, 2007 at 08:44:26PM +0100, Peter Bradley wrote:
Just to prove I'm not totally useless (almost totally, but not entirely), I've fixed it. See below.
Great :) Good to hear, on both counts. :)
I still can't imagine how the application could cheerfully squirrel away a syntax error without squawking. I would have had serious words with my team if they'd done that. :)
That's a good question. Thankfully, our error handling here has improved drastically in newer versions, so at least newer releases will squawk. :)
Just in case, I actually looked in the manual that came with my SuSE 10.0 boxed set - since I've advised people to RTFM enough times myself - but I couldn't find any mention of AppArmor. Bit of an oversight, don't you think? Especially with an application that takes it into its head every now and then to start putting the barriers up for no good reason that I can see.
10.0 was prepared hastily. :/ I believe the AppArmor Admin Guide was only available as a PDF for 10.0.
Still, as I say, an educational experience.
Thanks for the help. Honestly. :)
And yes, OK, if I'd just upgrade... But it's taken me so long to get this version set up as I want it, I just can't face the hassle. Not for a year or so, anyway.
Something I can completely understand. I detest losing a day to reconfigure my software, recompile my local modifications, and try to return to a working system with a bunch of software that no longer functions as it used to. But sometimes the changes are bugfixes :) Any other problems with AppArmor, don't hesitate to yell.
Ysgrifennodd Seth Arnold:
<snip /> Any other problems with AppArmor, don't hesitate to yell.
I'll be sure to! You and Dominic have been great over this. Thanks for all your help. I mean it. I hope you haven't been upset by my occasional facetiousness. It comes from the frustrations of working in a Windows environment all day, reporting to super-Dilbertian PHBs. Sometimes it takes me a while to settle down. Thanks again. Peter -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (3)
-
Dominic Reynolds -
Peter Bradley -
Seth Arnold