[Apparmor-general] AppArmor definition of a home directory too rigid
Michael.James at csiro.au
Michael.James at csiro.au
Wed Aug 1 20:52:31 MDT 2007
The supplied AppArmor Profiles are causing a rash of problems.
Tip:
To help stay ahead of trouble, put this into /etc/logdigest/alarming.local
kernel: SubDomain: REJECTING
You'll see all the hits in your logdigest email.
(You do use logdigest don't you? It's magic for sysadmins)
Home Dir recognition:
It is written explicitly in almost all subdomain's profiles
that home dirs are of the form /home/<username>/
If like me you use /home/<group>/<username>
Apparmor will cause you many subtle problems.
I notice it when ~/.ssh/authorized_keys stops working.
This is a bug, and will go on being one till we get
a system that feeds a variable definition into the profiles.
Base its value on the default new user profile from YaST.
In the meantime the default profiles need to relax
/home/*/ to /home/**/
root> cd /etc/subdomain
root> perl -i -pe's|/home/*/|/home/**/|' \
*bin* *lib* abstractions/* program-chunks/*
Individual installations could put an explicit /home/*/*/
That's my opinion and I'm sticking to it.
On a server with any reasonable number of users,
having the home dirs grouped is too big a win
to change just because "the system wants it that way".
michaelj
--
Michael James michael.james at csiro.au
System Administrator voice: 02 6246 5040
CSIRO Bioinformatics Facility fax: 02 6246 5166
More information about the Apparmor-general
mailing list