[apparmor] AppArmor utils on openSUSE
apparmor at cboltz.de
Mon Dec 20 00:10:55 GMT 2010
Am Sonntag, 19. Dezember 2010 schrieb John Johansen:
> On 12/19/2010 07:23 AM, Christian Boltz wrote:
> > The question is how this could be solved.
> > Do you have updated logprof/genprof for AppArmor 2.3 that
> > understand *x permission log entries?
> > Or can I simply switch to the 2.5 utils without breaking something?
> The solution is getting opensuse updated to the new tools, there have
> been some packaging issues, but jeffm has fixed some of those and
> steve has also done some work at improving the packaging.
Yes, I know, and I also know that this is an ongoing effort. Jeff wrote
today in the bugreport that he is working on some "interesting"
packaging issues and that he expects to have 2.5.x in openSUSE 11.4
However, this bug is open for a long time and I'm getting impatient -
for me it is a blocker for upgrading several servers, and 11.1 (which is
the last with working utils) is going out of support in some days...
> You should be able to use the apparmor 2.5 tools, as they are
> backwards compatible with 2.3,
Sounds promising :-) - I'll test that.
Unfortunately the build for 11.3 in security:apparmor:factory fails
while trying to install a manpage, and the packages for factory don't
match the perl version in 11.3 (which means I would at least have to
move the perl modules around - not a big job, but nothing I want to do
after midnight ;-)
(If I just overlooked a working package for 11.3 somewhere, I'd welcome
> and you will see some nice improvements. Policy compilation is faster
Sounds like a really good thing. I have a (11.1) server with a big
apache profile (with about 150 hats/vHosts, profile filesize 70k + 150
abstractions [one per hat, auto-generated with a script] with 1k each +
another (shared) 2k abstraction + 10k abstractions included by this
abstraction - that all is included in all vHosts/hats).
70k Apache profile
+ 150 * 1k = 150k abstractions/vhost_*
+ 150 * (2k+10k) = 1800k abstractions included in every vHost/hat
2040k = 2 MB total profile size if I follow all abstractions/*. Wow.
Currently rcapparmor reload takes 36s on this server (not really
surprising) - that will make it a good performance testbed for the new
> and if you take the steps to setup a policy cache, policy
> loading is very fast,
The problem is that most times when I call "rcapparmor reload",
the reason is a change in the apache profile or one of the hats.
I guess caching doesn't make too much sense then?
Sorry, aber der Anforderungskatalog liest sich ungefähr so, als ob Du
einen familienfreundlichen Ferrari-Kombi der weniger als drei Liter auf
100 km benötigt möchtest. [Manfred Tremmel in suse-laptop]
More information about the AppArmor