[apparmor] Debian Wheezy: Profile doesn't conform to protocol
John Johansen
john.johansen at canonical.com
Sat Sep 29 11:55:06 UTC 2012
On 09/28/2012 10:40 AM, intrigeri wrote:
> Hi!
>
> John Johansen wrote (27 Sep 2012 18:01:38 GMT) :
>> On 09/27/2012 10:23 AM, Jeroen Ooms wrote:
>
>>> - Is there a way that the apparmor init script can be modified to
>>> give a single warning (rather than one for every profile) about the
>>> kernel version not supporting network rules? [...]
>>>
>> It should be possible to add the -q (quiet flag) to the
>> apparmor_parser invocation in the init script, but then you will
>> loose this type of warning, and a few others completely. However for
>> debian this may be the correct solution as the network rule
>> situation is known.
>
> Interesting. What other warnings would we hide if we went this way?
>
skipping disabled profile
cannot use update cache
upper case perms RWLIMX are deprecated
unconfined exec qualifier allows some dangerous environment variables
mount rules not enforced
network rules not enforced
>> There is a new apparmor networking patch in the works, and it will
>> go upstream at some point so I would expect Networking support in
>> Debian 8.
>
> :)
>
>> So for debian 7 to get networking rule support, current solution is
>> to either install an Ubuntu kernel, or build a custom kernel by
>> applying the out of tree networking patch to the debian kernel.
>
> Once Debian Wheezy (7) is released, and the new networking patch is
> upstreamed, then another possibility will be to use a more recent
> Linux kernel from wheezy-backports.
>
> Cheers!
>
More information about the AppArmor
mailing list