[apparmor] Packaging of Profiles

Jamie Strandboge jamie at canonical.com
Tue Aug 10 17:21:39 BST 2010 

On Tue, 2010-08-10 at 08:03 -0400, Marc Deslauriers wrote:
> On Mon, 2010-08-09 at 21:22 -0700, Kees Cook wrote:

> Most packages that ship config files _rarely_ (if ever) modify the
> config files once the distro is released. Administrators who modify the
> config files can be reasonably assured that the large majority of
> upgrades won't be interrupted in the middle with a dialog asking them to
> merge the differences. The difference with AppArmor, is updates will
> often have updated config files, as new rules are added when profile
> restrictions have caused regressions.

This has happened with firefox, but not for any other update (excepting
a profile bugfix, which are also rare) that I know of. For example, the
OpenLDAP update yesterday in Ubuntu should not have prompted anyone on
upgrade (whether the profile was changed or not), because the updated
slapd package did not change its shipped profile. Dealing with firefox
as a distribution is, as said, being dealt with in other
distribution-specific ways.

> In rpm packaging, there is a way to mark a config file so that new
> versions never replace the old ones, and are simply thrown in the same
> directory with a ".rpmnew" extension. This may be the way to go. If a
> config file was modified, we may _never_ want to replace it, or bother
> the administrator with a manual intervention process. Presumably, the
> local profile has been tuned, and doesn't hit the regression that the
> package update is trying to correct. If so, the admin can simply update
> his modified profile with a large scale deployment tool, such as Puppet
> or Cfengine.

This is interesting. I wonder if it would be worthwhile to define this
as a use case:

- don't ever touch my profile, you bastard

(yes, I think 'bastard' should be used in the configuration
directive ;P ) 


-- 
Jamie Strandboge             | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : https://lists.ubuntu.com/archives/apparmor/attachments/20100810/34f466ee/attachment.pgp

More information about the AppArmor mailing list