[apparmor] Location for extra profiles
John Johansen
john.johansen at canonical.com
Tue Aug 23 22:49:38 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/23/2011 02:48 PM, Steve Beattie wrote:
> On Tue, Aug 23, 2011 at 07:51:38AM -0700, John Johansen wrote:
>> On 08/23/2011 05:14 AM, Christian Boltz wrote:
>>> there's an openSUSE enhancement request to move the "extra" profiles to
>>> /lib/apparmor/profiles/.
>>>
>>> See https://bugzilla.novell.com/show_bug.cgi?id=713647 for details.
>>> (You can also comment there so that I don't have to forward the answer.)
>>>
>>> Do you like the idea of moving the "extra" profiles to /lib/?
>>> What changes would be needed so that genprof still finds them?
>>>
>> Well I am not opposed to re-examining this as I don't really like the set
>> up we currently have. I am not opposed to moving the "extra" profiles out
>> of /etc/ but I don't really like /lib/ as a location (though I can see
>> why people would choose it).
>
> As upstream, I don't think we can really dictate to distributions
> where they should place them. For the record, the extras profiles
> get installed into /usr/share/doc/apparmor-profiles/extras/ on Ubuntu.
>
Right, but we could discuss where we put them by default (ie reference
location).
> I think probably the best thing would be if the location that
> distribution vendors chose to place them was captured in a
> configuration file in /etc/apparmor/; that way, tools to manage
> profiles would know where to look for the extras profiles.
>
yeah this is a very good idea.
>> Just where the "extra" profiles should go will depend on your pov of how
>> they should interact with the active profile set and what should be done
>> at the packaging level.
>>
>> For example should the "extra" profiles really be a reference set that
>> the packaging system expects not to change, with the active set symlinking
>> to them. Or do you want the packaging system to actively manage the
>> active set as conf files so that when a conflict occurs it is immediately
>> apparent.
>
> Historically, the upstream expectation has been that the "extras"
> profiles are incomplete and could/should be used as a starting point
> for profile development (with the hope that improvements would be
> contributed back). It was the way for profile developers to collaborate
> before the apparmor repository (now dead) was developed. Ideally,
> policy distribution and development would get separated from
> implementation.
>
well not exactly dead as the online repo still exists
http://apparmor.opensuse.org/
and the base ability still exists in the tools. But it has bit rotted
for years and needs some serious updating/replacing.
But whether or not a repository exists doesn't currently matter
to the discussion of where we store profiles locally.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5ULnwACgkQxAVxIsEKI+aarwCeNxYYu21RQ2Y6z3tV0lGY4Z0R
TqcAoKz2wK4HnVH0ll/j006K+B7Zd4BT
=VnMX
-----END PGP SIGNATURE-----
More information about the AppArmor
mailing list