On 28/11/2013 01:01, Marcus Meissner wrote:
On Wed, Nov 27, 2013 at 08:43:46PM -0800, Linda Walsh wrote:
On 27/11/2013 13:16, Carlos E. R. wrote:
Because 13.1 reinstated apparmor as installed and running by default. This was not the case in 12.3 and perhaps some versions earlier.
??? Didn't someone else mention documented problems in the release notes with apparmor? Are you saying the "new" default is to turn on a non-standard security mechanism on all machines???
Why would they do that?
It is a standard security mechanism.
It is not the Linux nor the Unix standard security mechanism. It is an "advanced" or "alternate" security system that is not selected by default when you create a new kernel.
If there are issues then we can fix them.
Since it runs at boot, you are presuming the person is able to login, and bring up some mechanism to doing that. If they find themselves locked out of their machine...they likely won't. If they have an alternate way to access the net, they still may not be able to give any useful information if locked out of machine. Certainly, if they are a new user to OS, or, worse, Linux in general, they will be completely clueless. If they have close friends they generally turn to for help, first, those friends will be less likely to be able to help them unless they already know 1) OpenSuse, and 2)app armor. That will cut off a sizable portion of their (possibly non-existent) "close support group" as well. vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv * If it was ***an option**, on install -- "do you want to install the * Advanced Security Mechanism, AppArmor or do you want to use the * standard Linux security mechanism? [If you didn't understand those * terms, choose the latter]. (y/[n]) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
You can run "logprof" or similar and report missing things in profiles.
While I could probably figure it out, I have a computer background, but until now I'd wouldn't have known logprof would have helped me -- I won't say I haven't seen the word before, but it wasn't something I was familiar with or how to use it to get into a machine I was locked out of due to AppArmor. If the option, at install (or upgrade time) was offered -- then they can take can take responsibility and, at least, know they installed a non-standard security system that isn't the default linux security mechanism. But if they are expecting a basic-linux install, I'd find a default installation of apparmor, to be like installing a Greek-font and language interface for the default installation -- sure, you could call them standard, in Greece (maybe), but it doesn't seem like a wise choise for new users OR users using the older (or perhaps a different) model. It violates the premise of "least surprise". None of this should be taken as a reflection on Apparmor being good or bad, just that it's something else that might go wrong, that, if it isn't configured "perfectly", will cause odd and random symptoms of programs being able to start, but access no resourses (like happened to the OP)... In order to create an experience with fewer unpleasant surprises (or surprises of any kind), I wouldn't *enable* (might install), AppArmor as a default. Same with "rtmond" -- installed, sure. But for a personal computer with only 1 user... I would question the need for such a mechanism as enabled by default. *cheers*, Linda p.s. -- NOTE -- in GENERAL, configuring packages to be ON by default if if they are installed, is a troublesome behavior. I see many things at install that I'd like to *try*, but usually 1 at a time. I'd prefer many things (if not most) to be "chkconfig'ed off" or whatever equivalence the SW has, by default on install (except for basic services needed to run the system). Might even have a "configcheck service" -- like the rpmconfigcheck, that checks for installed but unconfigured or disabled (have never been enabled) services -- and given to users on a list, so they can go down the list and configure & check out each of the new options. For me, I'd find such much better than the -- "we tried to set things up based on our test systems in Laos, and we had no complaints"...;-) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org