Hello, Am Dienstag, 2. Mai 2017, 11:26:36 CEST schrieb John Johansen: > On 05/02/2017 01:58 AM, Lentes, Bernd wrote: > > ----- On Apr 29, 2017, at 3:02 AM, Seth Arnold seth.arn...@canonical.com wrote: > >> On Wed, Apr 26, 2017 at 08:26:10PM +0200, Lentes, Bernd wrote:
> >>> I have a SLES 10 SP4 box. That sounds like a terribly old AppArmor version, but still, mod_apparmor probably didn't change too much in the meantime. BTW: You might want to steal ;-) /etc/apparmor.d/abstractions/apache2-common from a more recent AppArmor release. Note that you'll probably have to remove the "signal" rules - I'd be surprised if apparmor_parser on SLE10 can handle them. > There are a couple of things that could be done to help. An > interactive learning mode could make the decision at request time, at > the cost of blocking until ready. We could also allow adding some > rules that would provide patterns for what kind of requests should map > to which profiles, or if they should create a new custom learning > profile. Or you can do something simple and boring - create the hat manually in the profile [1] (and reload the profile) before using it ;-) That will stop the change_hat guessing and ensure everything gets logged for the hat you want to use. Regards, Christian Boltz [1] actually I have a script to do that - but it's written in a way that _will_ break profiles if they don't match the whitespace it expects, so I won't publish it. If this still didn't scare you away, ask me off-list if you really want it ;-) -- ein Auto "funktioniert" auch mit eckigen Reifen, ob ich so etwas fahren möchte ist wieder eine andere Frage. [Björn Meier in postfixbuch-users]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor