Hello, Am Dienstag, 2. Mai 2017, 11:26:36 CEST schrieb John Johansen: > On 05/02/2017 01:58 AM, Lentes, Bernd wrote: > > ----- On Apr 29, 2017, at 3:02 AM, Seth Arnold [email protected] wrote: > >> On Wed, Apr 26, 2017 at 08:26:10PM +0200, Lentes, Bernd wrote:
> >>> I have a SLES 10 SP4 box.
That sounds like a terribly old AppArmor version, but still,
mod_apparmor probably didn't change too much in the meantime.
BTW: You might want to steal ;-)
/etc/apparmor.d/abstractions/apache2-common
from a more recent AppArmor release. Note that you'll probably have to
remove the "signal" rules - I'd be surprised if apparmor_parser on SLE10
can handle them.
> There are a couple of things that could be done to help. An
> interactive learning mode could make the decision at request time, at
> the cost of blocking until ready. We could also allow adding some
> rules that would provide patterns for what kind of requests should map
> to which profiles, or if they should create a new custom learning
> profile.
Or you can do something simple and boring - create the hat manually in
the profile [1] (and reload the profile) before using it ;-)
That will stop the change_hat guessing and ensure everything gets logged
for the hat you want to use.
Regards,
Christian Boltz
[1] actually I have a script to do that - but it's written in a way that
_will_ break profiles if they don't match the whitespace it expects,
so I won't publish it. If this still didn't scare you away, ask me
off-list if you really want it ;-)
--
ein Auto "funktioniert" auch mit eckigen Reifen, ob ich so etwas fahren
möchte ist wieder eine andere Frage. [Björn Meier in postfixbuch-users]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
