Of course, this really isn't "the problem". Nothing wrong with apparmor or selinux. The problem is assuming a "one set of rules fits all" mentality. I actually like apparmor. But maybe if people knew how to use it to make their own policies instead of accepting (note: In this case the "accept" is through the distribution's install) the assumptions of another... Granted, I don't want to go total "Lennart" (you don't have to use systemd, etc.), but felt it needed to be said anyhow. On 5/11/20 9:49 AM, L. van Belle via samba wrote:> Normaly thats no problem but enforcing apparmor to be installed.. > > Seems needed.. > https://wiki.debian.org/AppArmor > AppArmor is a Mandatory Access Control framework. > > I removed it, change bootloader, disable it fully. > > .. > > Steps to Disable AppArmor. > > AppArmor is a security mechanism and disabling it is not recommended. If you > really need to disable AppArmor on your system: > > > $ sudo mkdir -p /etc/default/grub.d > $ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=0"' > \ > | sudo tee /etc/default/grub.d/apparmor.cfg > $ sudo update-grub > $ sudo reboot > > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Rowland penny via samba >> Verzonden: maandag 11 mei 2020 16:39 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] upgraded DC shows IDs instead of usernames >> >> On 11/05/2020 15:24, L. van Belle via samba wrote: >>> For all Debian 10 people and strange things after upgrade of debian. >>> >>> >>> apt remove apparmor >>> >>> Next debian upgrade use : apt dist-upgrade --no-install-recomends >>> That wont install apparmor. >> >> Ah, now I think about it, this came up on the Devuan mailing list, >> Debian seems to have gone mad and now installs every recommended >> package. This is breaking lots of working systems. >> >> Rowland >> >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > >
On 11/05/2020 15:56, Christopher Cox via samba wrote:> Of course, this really isn't "the problem".? Nothing wrong with > apparmor or selinux.? The problem is assuming a "one set of rules fits > all" mentality. > > I actually like apparmor.? But maybe if people knew how to use it to > make their own policies instead of accepting (note: In this case the > "accept" is through the distribution's install) the assumptions of > another... > > Granted, I don't want to go total "Lennart" (you don't have to use > systemd, etc.), but felt it needed to be said anyhow.I never said there is anything wrong with Apparmor, it is (like Selinux) extremely hard to configure unless you are a rocket scientist. If they want more people to use it, they need to come up with some way to automatically configure it. If they don't, you are going to continue reading things like 'first turn off Apparmor' in howto's. Apparmor is great when it works, it is just getting it to work that is the hard part ;-) Rowland
On 5/11/20 10:11 AM, Rowland penny via samba wrote:> On 11/05/2020 15:56, Christopher Cox via samba wrote: >> Of course, this really isn't "the problem".? Nothing wrong with apparmor or >> selinux.? The problem is assuming a "one set of rules fits all" mentality. >> >> I actually like apparmor.? But maybe if people knew how to use it to make >> their own policies instead of accepting (note: In this case the "accept" is >> through the distribution's install) the assumptions of another... >> >> Granted, I don't want to go total "Lennart" (you don't have to use systemd, >> etc.), but felt it needed to be said anyhow. > > I never said there is anything wrong with Apparmor, it is (like Selinux) > extremely hard to configure unless you are a rocket scientist. If they want more > people to use it, they need to come up with some way to automatically configure > it. If they don't, you are going to continue reading things like 'first turn off > Apparmor' in howto's. > > Apparmor is great when it works, it is just getting it to work that is the hard > part ;-)It has a reasonable runtime inspection mechanism that makes things pretty easy (IMHO).