[apparmor] [patch] Change /bin/ paths in profiles to also match on /usr/bin/
Simon Deziel
simon.deziel at gmail.com
Sat Oct 3 22:13:07 UTC 2015
On 10/03/2015 02:40 PM, Christian Boltz wrote:
> Hello,
>
> Am Montag, 21. September 2015 schrieb Simon Deziel:
>> On 09/18/2015 06:09 PM, Seth Arnold wrote:
>>> On Fri, Sep 18, 2015 at 09:54:58PM +0200, Christian Boltz wrote:
>>>> oftc_ftw reported on IRC that Arch Linux has a symlink /bin ->
>>>> /usr/bin. This means we have to update paths for /bin/ in several
>>>> profiles to also allow /usr/bin/
>>>
>>> I think this would be better solved by alias rules, one
>>>
>>> alias /bin -> /usr/bin,
>>
>> I like this idea and I'm wondering why it wasn't used for the
>> transition from /var/run to /run?
>
> Good question. Maybe nobody thought of it, or we thought that setting up
> aliases should be reserved to the user (not to shipped policy).
>
> I can see why an alias would make the profiles easier to read.
> OTOH, it can also be confusing because there's an external file
> "modifying" the profile - so people reading the profile might wonder why
> /bin/... works even if the binary was moved to /usr/bin/...
>
> Therefore my personal opinion is that /{,usr/}/bin/... is the better
> choice, even if it the alternation might make the profile a bit harder
> to read (but still easier than having to look up aliases in another
> file).
Good point, it has the advantage to not surprise the sysadmin.
That said, for transitions like the /var/run one, how long do we have to
carry the alternation syntax for? Are all Apparmor enabled distro fully
switched to /run by now?
Regards,
Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 966 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151003/aebf3b83/attachment.pgp>
More information about the AppArmor
mailing list