On Friday, October 07, 2011 1:28 PM, "Christian Boltz" <opensuse@cboltz.de> wrote:
Hello,
Am Freitag, 7. Oktober 2011 schrieb Tim Edwards:
I might have read your post wrong but are you saying that Apparmor willl, by default, break the file/folder sharing feature built into KDE?
In theory it could. Practise is (as usual) different - the default profile allows sharing the home directories. This means: if you share something in your home directory, everything will work.
The only thing that will not work with the default profile is sharing a directory outside your home directory (for example /tmp), but I'd say that's an acceptable restriction because most people won't share /tmp ;-)
If that's how it works then fair enough, that sounds like it doesn't actually break the feature.
Let me ask the other way round: did you ever hit an apparmor restriction when sharing a folder in KDE?
I'm not sure why but I could never get it working on 11.4, I ended using fish:// in dolphin instead since I only need to transfer files to my netbook occasionally. Apparmor definitely did break my simple local-users only Dovecot setup though, and the bug I raised was closed as fixed even though it wasn't for me. <snip>
IIRC Redhat was very careful not to deploy profiles for services in SELinux until they were well tested and work.
SELinux is a slightly ;-) different beast and much more complex AFAIK (did you ever compare an apparmor profile to a SELinux profile?).
Nevertheless I'm quite sure they had some incomplete profiles because behaviour of many programs depends heavily on config options, and you never get everything in the first attemp.
Maybe, but after my experience with dovecot I got the impression that the Apparmor profiles weren't widely tested and were bitrotting. Maybe that's changed recently though.
Putting half-working profiles in Apparmor is not the way to go, otherwise soon 'Disable Apparmor' will become part of the standard troubleshooting advice on the Opensuse forum.
It isn't yet? That's good news and shows that the default profiles use sane rules ;-)
Besides that, the default advice in this case should be "check /var/log/audit/audit.log and open a bugreport if needed".
It's not exactly user friendly. Can't it use the desktop notification thing (whatever it's called) to pop-up a notification when it blocks something? Tim -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org