Bug 113655

Created attachment 47904 [details]
screen shot

Created attachment 47906 [details]
y2logs

The AppArmor version shipped with SUSE Linux 10 targets a specific set of
applications that are allowed to be profiled. 

The acroread profile will be shipped with beta 4 and further refinement with the
"Add AppArmor Profile" wizard will be supported.

The kmail application is not planned to be supported for profiling in SUSE Linux 10.

The namespace of allowed programs that can be profiled is as follows (note may
be subject to modification prior to the general release):

/bin/netstat
/bin/ping
/bin/traceroute
/lib64/ld-**
/lib/ld-**
/opt/i386-linux-uclibc/lib/ld-uClibc**
/opt/powerpc-linux-uclibc/lib/ld-uClibc**
/opt/gnome/lib/bonobo/bonobo-activation-server
/opt/gnome/lib/evolution-data-server-1.2/evolution-data-server-**
/opt/gnome/bin/evolution
/opt/gnome/bin/evolution-2.4
/opt/gnome/bin/gaim
/opt/gnome/bin/gaim-remote
/opt/gnome/lib/GConf/2/gconfd-2
/opt/MozillaFirefox/bin/add-plugins.sh
/opt/MozillaFirefox/bin/firefox.sh
/opt/MozillaFirefox/bin/rebuild-databases.sh
/opt/MozillaFirefox/lib/firefox-bin
/opt/MozillaFirefox/lib/mozilla-xremote-client
/sbin/klogd
/sbin/portmap
/sbin/rcportmap
/sbin/syslogd
/usr/bin/apropos
/usr/bin/clusterdb
/usr/bin/createdb
/usr/bin/createlang
/usr/bin/createuser
/usr/bin/dropdb
/usr/bin/droplang
/usr/bin/dropuser
/usr/bin/initdb
/usr/bin/ipcclean
/usr/bin/isamchk
/usr/bin/isamlog
/usr/bin/ldd
/usr/bin/man
/usr/bin/myisamchk
/usr/bin/myisam_ftdump
/usr/bin/myisamlog
/usr/bin/myisampack
/usr/bin/my_print_defaults
/usr/bin/mysqlbug
/usr/bin/mysql_convert_table_format
/usr/bin/mysql_create_system_tables
/usr/bin/mysqld_multi
/usr/bin/mysqld_safe
/usr/bin/mysqldumpslow
/usr/bin/mysql_explain_log
/usr/bin/mysql_fix_extensions
/usr/bin/mysql_fix_privilege_tables
/usr/bin/mysqlhotcopy
/usr/bin/mysql_install_db
/usr/bin/mysql_secure_installation
/usr/bin/mysql_setpermission
/usr/bin/mysqltest
/usr/bin/mysql_tzinfo_to_sql
/usr/bin/mysql_zap
/usr/bin/ntlm_auth
/usr/bin/pack_isam
/usr/bin/pg_controldata
/usr/bin/pg_ctl
/usr/bin/pg_dump
/usr/bin/pg_dumpall
/usr/bin/pg_resetxlog
/usr/bin/pg_restore
/usr/bin/postgres
/usr/bin/postmaster
/usr/bin/procmail
/usr/bin/psql
/usr/bin/resolveip
/usr/bin/resolve_stack_dump
/usr/bin/smbstatus
/usr/bin/tdbbackup
/usr/bin/tdbdump
/usr/bin/tdbtool
/usr/bin/vacuumdb
/usr/bin/wbinfo
/usr/lib/mailman/bin/**
/usr/lib/mailman/cgi-bin/**
/usr/lib/man-db/man
/usr/lib/postfix/bounce
/usr/lib/postfix/cleanup
/usr/lib/postfix/flush
/usr/lib/postfix/local
/usr/lib/postfix/master
/usr/lib/postfix/nqmgr
/usr/lib/postfix/pickup
/usr/lib/postfix/proxymap
/usr/lib/postfix/qmgr
/usr/lib/postfix/scache
/usr/lib/postfix/showq
/usr/lib/postfix/smtp
/usr/lib/postfix/smtpd
/usr/lib/postfix/tlsmgr
/usr/lib/postfix/trivial-rewrite
/usr/lib/sendmail.d/bin/mailman
/usr/sbin/httpd2-prefork
/usr/sbin/identd
/usr/sbin/in.identd
/usr/sbin/mysqld
/usr/sbin/nmbd
/usr/sbin/nscd
/usr/sbin/ntpd
/usr/sbin/pmap_dump
/usr/sbin/pmap_set
/usr/sbin/postalias
/usr/sbin/postdrop
/usr/sbin/postmap
/usr/sbin/postqueue
/usr/sbin/rcmailman
/usr/sbin/rcmysql
/usr/sbin/rcnmb
/usr/sbin/rcpostgresql
/usr/sbin/rcsmb
/usr/sbin/rcypbind
/usr/sbin/sendmail
/usr/sbin/smbd
/usr/sbin/squid
/usr/sbin/sshd
/usr/sbin/swat
/usr/sbin/traceroute
/usr/sbin/ypbind
/usr/X11R6/bin/acroread
/usr/X11R6/bin/ethereal
/usr/bin/opera
/usr/lib/RealPlayer10/realplay.bin

Fixed acroread for beta4

> The AppArmor version shipped with SUSE Linux 10 targets a specific    
> set of applications that are allowed to be profiled.    
  
If only a specific set of applications is supported, I'd recommend to   
list these in the dialog (as help text or in a dropdown instead of the   
text input field).  
  
Otherwise, a user might try with two or three applications and, if he   
doesn't have the luck to find one of your list, he'll say "hey,   
AppArmor must be broken crap!"...  
 
(BTW: I don't think adding the list of supported applications to README is 
enough - people don't like to read documentation...)