[apparmor] [opensuse-factory] 12.1 is around the corner, and I must make my concerns known.
John Johansen
john.johansen at canonical.com
Wed Aug 17 04:42:14 UTC 2011
On 08/16/2011 09:12 PM, Roger Luedecke wrote:
> On Tuesday, August 16, 2011 02:43:37 PM Christian Boltz wrote:
>> There is aa-notify (accidently named /usr/sbin/aa-apparmor_notify in
>> 11.4). Unfortunately it is underdocumented :-( and since it needs to
>> start as root (for read permissions on audit.log), it should probably be
>> started by init/systemd.
>>
>> There's a bit of configuration needed, I can write about the details if
>> someone is interested. It works (well, see next paragraph) and gives you
>> nice desktop notifications.
>>
>> Unfortunately a security feature of aa-notify strikes back - it drops
>> privileges after startup and then can't access /var/log/audit/ anymore.
>> I'm just sorting that out with Jamie (one of the AppArmor developers).
>> Unless there is a patch, the workaround is chmod 755 /var/log/audit/
>> (or better use chgrp trusted and chmod 750)
> Well now, then we just need to get this working then. That will be a massive
> boon. Quite frankly I can't imagine why this wouldn't have been a priority.
> The majority of Linux/openSUSE users I know are home desktop users. In fact, I
> only know one person who uses a non-enterprise supported Linux in a corporate
> space... which is openSUSE proudly enough.
>
Roger,
It looks like Christian and Jamie have solved this one today, and the patches
should be available soon
More information about the AppArmor
mailing list