Am Donnerstag, 7. April 2016, 09:57:17 CEST schrieb Ruediger Meier:
> On Wednesday 06 April 2016, Christian Boltz wrote:
> > You'll probably need to adjust the AppArmor profile a bit to allow
> > that. Otherwise, nscd won't be able to restart itsself (which
> > effectively means ignoring the paranoia mode).
> > 
> > https://bugzilla.opensuse.org/show_bug.cgi?id=971790
> Thanks, good to know.
> There seems to be another bug
> $ nscd --invalidate
> does not to work.
> The only way to reset cache and stats is to set
>   persistent   xyz           no
> and rcnscd.restart.

I Just tested this (on 13.1, and also on Tumbleweed), and it works.

Does the syslog tell you anything about why --invalidate doesn't work?
Does /var/log/audit/audit.log contain any denials? (I doubt that 
AppArmor restrictions are involved here, but just to be sure.)

> How would I disable appamor system wide?

Like every other service - rcapparmor stop   [1]

However I hope you won't do this. The better way is usually to
- switch the profile to complain/learning mode:   aa-complain nscd
- let the service run for a while
- run   aa-logprof   to update the profile
- enforce the profile again:   aa-enforce nscd

BTW: You might be interested in my AppArmor Crash Course:
    (PDFs linked at the end of the article)

I'll also give an updated version of this talk at the openSUSE 
conference (assuming my proposal gets accepted).


Christian Boltz

[1] Note that starting it again with   rcapparmor start   is not enough
    to re-add the protection to running processes. You'll need to 
    restart those processes, and   aa-status   can give you a list of
    what you should restart (in the "unconfined but..." section).
>...was dann wieder in polnisch, tschechisch und auf'm Mars versagt. :-)
Die Sprachen habe ich noch nie benötigt. Und auf dem Mars gibts ne
eigene Distri (für 21-Saugnapf-Tastaturen).
[> Ratti und Jan Trippler in suse-linux]

Evergreen mailing list

Reply via email to