On Wed, Feb 28, 2007 at 06:47:20PM +0000, Peter Bradley wrote: > Well, "going wild" may be a bit colourful :) but I somehow went from > having no problem at all with Apache to having nothing but trouble - and > it all turned out to be because AppArmor was (if I understand correctly > how it works) denying it access to the file system. I had to use the > most general glob possible in the end, because anything else fell over > the next time a new, unique filename was created.
Well, hopefully you were able to find something better than /** rw, :) but yes, you have a pretty good grasp of how AppArmor works. :) > Why it should suddenly have started denying access is a complete mystery > to me. Our supplied profiles are a difficult mixture of trying to allow usual configurations to work bug-free out of the box, allowing people to make some customizations without too much trouble, and still trying to provide some level of security. It is a delicate balance, especially for something as generic as Apache. (This is one of the reasons why we moved away from turning on the Apache profile by default in future releases -- very few people leave Apache alone, so everyone's is unique, and providing any sort of meaningful security policy that fits everyone is pretty difficult.) So we provide a base one for people to copy if they wish in 10.1, 10.2, etc., and ask people to use aa-genprof or aa-logprof to customize the policy for their own use once deployed. > I'm still on 10.0. It's been so hard to get it configured how I want it > that I'm a bit unwilling to upgrade - especially having seen all the > problems that people have had with upgrades. I really don't want to > have to do a clean install of a newer version and have to go through > weeks of configuring everything (Apache, PHP, Zend IDE and Platform, > MySQL + tools, etc etc). I completely understand this sentiment. ;) I normally skip a release or two between updates, simply because I do not like to be without a usable computer for a day or two.. > And please don't regard my comments as a complaint. Despite the fact > that I've found 10.0 to be more flakey than any other OS I've ever > installed, I still wouldn't go back to Windows. I just reckon that > occasionally you have to suffer to be free :) It's an interesting one-step-forwards, one-step-backwards, and sometimes steps to the side... Recent Linux systems seem to be flakier than the Linux I used a decade ago, but they are also far more featureful. (perhaps it is simply how I use my system that has changed.) > Now, I'm going to post this before Thunderbird crashes. Success :) Thanks
pgpuUUgfRINy1.pgp
Description: PGP signature
