Am Donnerstag, 7. April 2016, 09:57:17 CEST schrieb Ruediger Meier:
> On Wednesday 06 April 2016, Christian Boltz wrote:
> > You'll probably need to adjust the AppArmor profile a bit to allow
> > that. Otherwise, nscd won't be able to restart itsself (which
> > effectively means ignoring the paranoia mode).
> > https://bugzilla.opensuse.org/show_bug.cgi?id=971790
> Thanks, good to know.
> There seems to be another bug
> $ nscd --invalidate
> does not to work.
> The only way to reset cache and stats is to set
> persistent xyz no
> and rcnscd.restart.
I Just tested this (on 13.1, and also on Tumbleweed), and it works.
Does the syslog tell you anything about why --invalidate doesn't work?
Does /var/log/audit/audit.log contain any denials? (I doubt that
AppArmor restrictions are involved here, but just to be sure.)
> How would I disable appamor system wide?
Like every other service - rcapparmor stop 
However I hope you won't do this. The better way is usually to
- switch the profile to complain/learning mode: aa-complain nscd
- let the service run for a while
- run aa-logprof to update the profile
- enforce the profile again: aa-enforce nscd
BTW: You might be interested in my AppArmor Crash Course:
(PDFs linked at the end of the article)
I'll also give an updated version of this talk at the openSUSE
conference (assuming my proposal gets accepted).
 Note that starting it again with rcapparmor start is not enough
to re-add the protection to running processes. You'll need to
restart those processes, and aa-status can give you a list of
what you should restart (in the "unconfined but..." section).
>...was dann wieder in polnisch, tschechisch und auf'm Mars versagt. :-)
Die Sprachen habe ich noch nie benötigt. Und auf dem Mars gibts ne
eigene Distri (für 21-Saugnapf-Tastaturen).
[> Ratti und Jan Trippler in suse-linux]
Evergreen mailing list