Re: [DNG] Beowulf, and Apparmor's effect on bind9
> > > Any recommendations for a better panel? > > If you weren't on the list about 6 months ago, there was some > wonderfully enlightening discussion about de's and wm's that long ago > or more. I can find the exact dates if you want so you can find it in > the archives. Ah now you say that, it rings bells. I'll check it out. Jim ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Beowulf, and Apparmor's effect on bind9
On Sat, 23 May 2020, Hendrik Boom wrote: > Where does LXQt keep ist panel config? > ~/.config/lxqt/panel.conf Jim ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Beowulf, and Apparmor's effect on bind9
On Sat, 2020-05-23 at 19:54 +0100, Jim Jackson wrote: > Generally, why does apparmor get installed on a dist-upgrade, when > it > wasn't there initially? It isn't as if it's a new "thing". That's a good question. > I got it > on my ascii -> beowulf upgrade, and removed it. That was the first thing I did, after looking at the logs, to determine if apparmor was the problem, after monkeying around with permissions to no avail. Then I looked up the apparmor message and came up with the bug (and familiarized myself with apparmor since this was the first time it's gotten in my way). It *seems* like a good security tool, but I certainly don't know enough yet to make a determination. n this case I decided to trust the devuan architects/devs that it was a good security enhancement I reinstalled it and tried the workaround mentioned in the bug report. I'm sure I should look into it deeper though, I'm sure I will. > Why is it the shiny-blingy stuff is so crap? I use xfce for simplicity sake with the same idea. The shinier and better polished, the more likely to be buggy and/or entail a much larger attack surface. I'm sure it gets simpler/more secure than xfce but I'm still learning :) and that reminds me of a discussion on this list not too long ago about desktops. > Any recommendations for a better panel? If you weren't on the list about 6 months ago, there was some wonderfully enlightening discussion about de's and wm's that long ago or more. I can find the exact dates if you want so you can find it in the archives. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Beowulf, and Apparmor's effect on bind9
On Sat, 2020-05-23 at 21:08 +0300, Dimitris via Dng wrote: > bug report link, was about /var/cache, not /var/log (?).. anyway, the > > default apparmor profile has this : > > > > # some people like to put logs in /var/log/named/ instead of having > > # syslog do the heavy lifting. > > /var/log/named/** rw, > > /var/log/named/ rw, yeah apparently same issue, different file. ah interesting tip. > some people following net guides/migrating from older versions, already > used /var/log/bind/ or /var/log/bind8 or /var/log/bind9, or other custom > log path. makes sense > they all fail with default apparmor profile.. so, one could > add (eg.) : > /var/log/bind9/** rw, > /var/log/bind9/ rw, > > and everything would work.. I see > in your example, "k" is for file lock, not sure it's needed in this case (?) yeah I'm not sure either, I went with it just on the recommendation of the bug report, which of course is for a different file which is not a log, so you're probably right, log files probably don't require a lock. > 2c. Thanks for your 2c ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Beowulf, and Apparmor's effect on bind9
On Sat, May 23, 2020 at 07:54:55PM +0100, Jim Jackson wrote: > > Generally, why does apparmor get installed on a dist-upgrade, when it > wasn't there initially? It isn't as if it's a new "thing". I got it > on my ascii -> beowulf upgrade, and removed it. > > My desktop was LXQt and the upgrade ignored some customisations. Among > other minor iritants the LXQt-panel designers decided to change the clock > widget and gave it a new name, FFS, and so the old "clock" disappeared but > it's replacement was missing from the config. Nothing to indicate that it > is now "worldclock", until one googled and hand edited the panel config! Where does LXQt keep ist panel config? > If > Linus was as cavalier in his developemnt approach Linux would never have > been taken up as it has. Why is it the shiny-blingy stuff is so crap? > > Any recommendations for a better panel? > > Jim > > > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Beowulf, and Apparmor's effect on bind9
On 5/23/20 9:54 PM, Jim Jackson wrote: > Generally, why does apparmor get installed on a dist-upgrade, when it > wasn't there initially? It isn't as if it's a new "thing". in repos since wheezy.. from beowulf/buster on, it is enabled by default: https://wiki.debian.org/AppArmor/HowToUse#Enable_AppArmor > I got it > on my ascii -> beowulf upgrade, and removed it. https://wiki.debian.org/AppArmor/HowToUse#Disable_AppArmor -- if anyone wants to disable/debug apparmor for a specific profile, you can use : aa-complain /etc/apparmor.d/some.profile everything will work, with all DENIED msgs printed to dmesg for review-fixes. signature.asc Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Beowulf, and Apparmor's effect on bind9
Anno domini 19:54:55 Sat, 23 May 2020 +0100 (BST) Jim Jackson scripsit: > > Generally, why does apparmor get installed on a dist-upgrade, when it > wasn't there initially? It isn't as if it's a new "thing". I got it > on my ascii -> beowulf upgrade, and removed it. > > My desktop was LXQt and the upgrade ignored some customisations. Among > other minor iritants the LXQt-panel designers decided to change the clock > widget and gave it a new name, FFS, and so the old "clock" disappeared but > it's replacement was missing from the config. Nothing to indicate that it > is now "worldclock", until one googled and hand edited the panel config! If > Linus was as cavalier in his developemnt approach Linux would never have > been taken up as it has. Why is it the shiny-blingy stuff is so crap? > > Any recommendations for a better panel? Use TDE ... :) > > Jim > > > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > -- Please do not email me anything that you are not comfortable also sharing with the NSA, CIA ... ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Beowulf, and Apparmor's effect on bind9
Generally, why does apparmor get installed on a dist-upgrade, when it wasn't there initially? It isn't as if it's a new "thing". I got it on my ascii -> beowulf upgrade, and removed it. My desktop was LXQt and the upgrade ignored some customisations. Among other minor iritants the LXQt-panel designers decided to change the clock widget and gave it a new name, FFS, and so the old "clock" disappeared but it's replacement was missing from the config. Nothing to indicate that it is now "worldclock", until one googled and hand edited the panel config! If Linus was as cavalier in his developemnt approach Linux would never have been taken up as it has. Why is it the shiny-blingy stuff is so crap? Any recommendations for a better panel? Jim ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Beowulf, and Apparmor's effect on bind9
On 5/23/20 8:42 PM, 'smee via Dng wrote: > > The workaround mentioned in the bug report for is to add explicit > permissions in /etc/apparmor.d/local/usr.sbin.named by adding a line to > that file with the path to the problem file and the permissions. In > this case rwk for read/write/lock. In my case I added this line: > > /var/log/misc.log rwk [plain text this time..] bug report link, was about /var/cache, not /var/log (?).. anyway, the default apparmor profile has this : # some people like to put logs in /var/log/named/ instead of having # syslog do the heavy lifting. /var/log/named/** rw, /var/log/named/ rw, some people following net guides/migrating from older versions, already used /var/log/bind/ or /var/log/bind8 or /var/log/bind9, or other custom log path. they all fail with default apparmor profile.. so, one could add (eg.) : /var/log/bind9/** rw, /var/log/bind9/ rw, and everything would work.. in your example, "k" is for file lock, not sure it's needed in this case (?) 2c. d. signature.asc Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
