Hello, am Donnerstag, 6. Oktober 2011 schrieb Lars Müller:
On Thu, Oct 06, 2011 at 12:51:48PM +0200, Sascha Peilicke wrote:
Hehe, unrelated to that, cboltz started fixing the profiles we ship, so apparmor even got better after we removed it from the default patterns :-)
That might sound like a fun fact, but is totally unrelated ;-) For the records: I started to work on the apparmor package (upstreaming patches etc.) before it was removed from the default pattern.
And therefore we turn it on by default again?
s/?/!/, and I couldn't agree more!
Oh, yes, the initial startup time of the system is more important than security.
Hey, I didn't mention that rule in my talk about the golden rules of bad programming, but it would have fit very good there ;-)
Can't we populate the apparmor cache as part of the installation/ upgrade/ maintenance of the system?
I'll enable caching, see my reply to Coolo's mail for details. However I don't want to package the cached files because that might cause funny side effects on updates (profile changed locally, but packaged cache looks newer and such stuff).
AA caused issues to Samba in the past. Nevertheless I like to have it enabled by default again. With profiles wher we're not sure if they work correctly we might run it in complain mode.
That might be an option, but I'm not really happy with shipping profiles in complain mode - users probably expect that all profiles are in enforce mode. IMHO the better way is to ship them in the "extras" profile directory /etc/apparmor/profiles/extras/ where aa-genprof will pick them up as template. That said: There's a better solution for the samba profile, see below.
This reminds me to the open issue we had discussed in the past with regard to Samba, YaST, AA, and newly added shares. \:
Indeed, I'm aware of https://bugzilla.novell.com/show_bug.cgi?id=688040 The quick and easy solution would be a little script that extracts the paths of all shares from smb.conf and writes an apparmor profile sniplet. This script should run when starting and reloading samba. The downside is that it won't be aware of everything because - you can reload samba using SWAT instead of the initscript or systemd - it's possible to add "dynamic" shares that don't show up in smb.conf (for example using the "share directory" feature in KDE) Covering all this makes things really difficult, therefore I'd say we should at least do the easy part (based on smb.conf) for 12.1. That's much better than the current state and will probably cover most usecases. If someone can provide a script that prints the path of all shares in smb.conf (there are some hints about python and perl modules to parse smb.conf in the bugreport) in the format given below I'll then integrate it in the initscript and systemd service file. This is how the apparmor profile sniplet should look like: # autogenerated at samba startup - do not edit! /path/to/share/ rk, /path/to/share/** lrwk, /another/share/ rk, /another/share/** lrwk, Regards, Christian Boltz -- Fernsehen und IP sind halt doch zwei verschiedene Dinge, auch wenn beides oft mit Strom funktioniert. [Peer Heinlein in postfixbuch-users] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org