On Sat, Nov 08, 2008 at 02:38:51PM -0000, loko wrote:
> this does not work because i linked /tmp with a symlink to /home/tmp
>
> Instead of symlink it only works (in my case) with: mount -o bind
> /home/tmp /tmp
I hesitate to mention this due to some caveats that I'll list below, but
AppArmor in intrepid has some additional functionality that can make dealing
with symlinked directories easier. The ability to add alias rules was
added, so that you could state something like the following:
alias /tmp -> /home/tmp,
The caveats are:
- In intrepid, the alias rules need to be *the first* rules to
occur. These must come before variable declarations or program
declarations or a program name. #include's do get pre-processed before
alias rules are dealt with, so alias rules can occur at the beginning
of the first included file; e.g. adding alias rules to the beginning
of /etc/apparmor.d/tunables/global probably makes sense. (This is
a bug in intrepid's apparmor; it has been fixed upstream so that
variable declarations and alias rules can be intermixed, though both
must occur before a profile definition for programs are declared.)
- The profile tools like aa-genprof are unlikely to be aware of alias
rules and it's possible that using the tools may cause the alias
rules to be stripped out of the policy. (However, the tools do not
modify files that are included, so again placing alias rules in
tunables/global is probably the safest bet.) If you need to use the
aa-genprof or aa-logprof tools to manage your profiles, you likely
do not want to use alias rules yet.
- It's essentially a macro substitution, so that the example alias
rule given above would map both /tmp to /home/tmp as well as
/tmptation to /home/tmptation. The safer declaration would be to do:
alias /tmp/ -> /home/tmp/,
as that will only apply to things in /tmp/.
- Duplicate mappings are detected by the policy parser, but
overlapping mappings are not, and are likely not handled correctly;
e.g.:
alias /usr -> /User,
alias /usr/lib -> /Libraries,
is not detected and results in undefined behavior.
- It's ultimately not a well-tested out feature; there may be additional
bugs or unexpected behavior if alias rules are used. But testing
this would be very much appreciated by upstream, as well as feedback
as to the utility of this feature.
Hope this helps. Thanks.
--
Steve Beattie
<[EMAIL PROTECTED]>
http://NxNW.org/~steve/
--
Error with guest-session and apparmor when tmp is not in /
https://bugs.launchpad.net/bugs/295557
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
