Dienstag, 26. Dezember 2017AppArmor 2.12 - The Grinch is confined!Trackbacks
Trackback-URL für diesen Eintrag
Keine Trackbacks
Kommentare
Ansicht der Kommentare:
(Linear | Verschachtelt)
Hi,
even considered the existence of the "aa-teardown" command I don't think this is a good idea both from a "phylosophical" point of view and for the coherence of the systemctl set of commands. Commands should do what it's expected they will do and people that use 'systemctl' are (or should be) used to administrative tasks, including knowing the difference between "restart" and "reload". Even the argument "but who would do that?" it's contraddictory from the simple fact that nobody know why to do "such things" until finding themselves wanting do that. At most, if the concern is harassing, it can be preferable have 'restart' redirected to 'reload' but, at the same time, warning the user that, eventually, could choose to run 'stop' and then 'start'. This is obviously in my opinion. Thanks for your work.
I'd also prefer to be able to redirect "restart" to "reload" - but unfortunately the systemd developers didn't like the idea to implement an ExecRestart= option for unit files, which makes doing this impossible. I surely won't complain if you or someone else convinces them to change their opinion, but my hope is... limited.
Without any way to change the "restart" behaviour, "restart" always does "stop, then start" - which results in loosing AppArmor confinement from running processes if "stop" unloads the profiles. I know and agree that breaking "stop" isn't a good idea, but it's still better than the alternative because it errors out on the safe side. And for the "but who would do that" - I know how it sounds, and it surely includes traces of sarcasm ;-) However, using aa-complain is a much better choice because it allows everything while logging what would be denied. With that log, you can then update the profiles (manually or with aa-logprof) and ideally aa-enforce them again. |
SucheKommentare
zu Do, 04.01.2018 17:17
I'd also prefer to be able to
redirect "restart" to
"reload" - but unfortunately
the systemd developers
didn't lik [...]
zu Do, 04.01.2018 15:37
Hi,
even considered the
existence of the
"aa-teardown" command I
don't think this is a good
idea both from a "phy [...]
zu Do, 09.02.2017 08:43
Thanks for making and
maintaining this great piece
of software!
zu So, 01.01.2017 14:36
zu So, 13.11.2016 20:32
The *Handler classes
basically map between
database and user interface
(read and write mode,
including error check [...]
zu Sa, 12.11.2016 10:04
Hi Christian
First of all,
thanks for postfixadmin.
I
am just adding some
functionality but could need
some he [...]
zu Mo, 12.09.2016 05:50
zu So, 17.07.2016 14:10
yes! send me that, and I'll
check it out! ;)
Thanks
in advance! :)
zu Do, 14.07.2016 00:45
I'm not sure if someone took
photos ;-)
Yes, you can
download it and run it
locally (even offline) - but
I shou [...]
zu Mi, 13.07.2016 23:27
Hi !
Would be great to see
some pics from OSC'16 playin
this :)
Downloading the
package I can run in my PC
loc [...]
zu Mo, 04.07.2016 21:35
zu Fr, 22.05.2015 21:30
Eine sehr gute Idee, das
Ganze von der anderen Seite
zu betrachten (von der Seite
der schlechten Programmierer
:) [...]
zu Mo, 29.08.2011 16:44
Sourceforge hat auf der
"Files"-Seite jedes Projekts
einen RSS-Feed im Angebot
(rechts über der
Dateiliste).
Fü [...]
zu Mo, 29.08.2011 10:54
Gibt es fuer postfixadmin
eigentlich irgendeine
release Mailingliste oder
Website die ich per RSS
abbonieren kann, [...]
zu Mo, 01.08.2011 01:57
Nimm die Fußzeile weg, dann
stimmt's ^^
Impressum |