[apparmor] [opensuse-factory] 12.1 is around the corner, and I must make my concerns known.
Roger Luedecke
roger.luedecke at gmail.com
Wed Aug 17 04:12:44 UTC 2011
On Tuesday, August 16, 2011 02:43:37 PM Christian Boltz wrote:
> There is aa-notify (accidently named /usr/sbin/aa-apparmor_notify in
> 11.4). Unfortunately it is underdocumented :-( and since it needs to
> start as root (for read permissions on audit.log), it should probably be
> started by init/systemd.
>
> There's a bit of configuration needed, I can write about the details if
> someone is interested. It works (well, see next paragraph) and gives you
> nice desktop notifications.
>
> Unfortunately a security feature of aa-notify strikes back - it drops
> privileges after startup and then can't access /var/log/audit/ anymore.
> I'm just sorting that out with Jamie (one of the AppArmor developers).
> Unless there is a patch, the workaround is chmod 755 /var/log/audit/
> (or better use chgrp trusted and chmod 750)
Well now, then we just need to get this working then. That will be a massive
boon. Quite frankly I can't imagine why this wouldn't have been a priority.
The majority of Linux/openSUSE users I know are home desktop users. In fact, I
only know one person who uses a non-enterprise supported Linux in a corporate
space... which is openSUSE proudly enough.
More information about the AppArmor
mailing list