[Apparmor-general] Moving To A Pure Capability Model?
Christian Boltz
apparmor at cboltz.de
Sun Jan 28 07:57:08 MST 2007
Hello,
just a small note:
Am Donnerstag, 25. Januar 2007 17:31 schrieb Crispin Cowan:
> Perhaps in this case it would be best to use the hack of caching the
> original file name instead of working hard to recover the current file
> name.
I would prefer this.
Reason: I once had the case that Apache was denied write access to
access_log.20070128 because logrotate was to slow in restarting
Apache ;-)
IMHO it would be a good thing to allow access if the original filename
was allowed. This would cause less harm than allowing access to
access_log* (which allows access to all the old logs)
> I don't like it,
Why? ;-)
IMHO, if the process had access to a file, it won't harm much if it
still has access after renaming the file.
Regards,
Christian Boltz
--
Why do you focus so much on _new_ technology? -- New is better. Is
nothink old that is better than new. -- Yes there is. -- Da? Namink
one then. -- The Original Pentium versus counting on your fingers.
-- Da. Da. "Don't divide. Intel inside" [Sid & Pitr in userfriendly]
More information about the Apparmor-general
mailing list