On 06/01/2014 10:47 PM, John Goerzen wrote: > 1) Installing lxc renders AppArmor unusable on the entire system because > the LXC profiles have syntax errors.
i take it you're using apparmor and are familiar with it. would you be so kind in preparing a patch to apply in lxc to make the missing pieces working for you? (like said in the other bug, patches are welcome, and also, i specifically asked *what* would be broken, since i do not use that optional feature of lxc nor are familiar with it (being apparmor that is)). > There is a reason I created two different bug reports for them. Do you > really believe #1 and #2 are the SAME bug? please calm down. first of all, you created a mess with cloning bugs arround where it was anything but understandable what you intended to do. i cleaned it up as best as i could by closing those that were from my point of view solved, and asked for more information on the others. cloning an unrelated bug and retitling it is *not* a proper bug report. > I don't want to stomp all over your bug playground, but AppArmor is NOT > fixed in 750107. /sys is NOT mounted securely (the exploit against the > host's root exists). /proc is NOT mounted securely either (/proc/sys is > writeable, /proc/kmem is available, etc.) The lxc.container.conf > manpage describes enabling AppArmor, which even that does not work. If > you intend to rip out AppArmor entirely, then it shouldn't be documented > as existing in the manpage and README. like i said, i do not use apparmor, bin:lxc is pure upstream - nothing specific to debian nor did i 'rip out' anything. if you would like to use apparmor with lxc, please fill upstream bug reports about it - like i said earlier, upstream has not completely integreated apparmor support in lxc yet. if you would like me to disable apparmor until it's ready, that would be also fine for me. let me know what you want me to do. -- Address: Daniel Baumann, Donnerbuehlweg 3, CH-3012 Bern Email: daniel.baum...@progress-technologies.net Internet: http://people.progress-technologies.net/~daniel.baumann/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
