[apparmor] AppArmor and /etc/

[Christian Boltz]

Hello,

just a short answer since John already answered most questions:

Am Samstag, 25. November 2017, 17:16:07 CET schrieb intrigeri:
> Marco d'Itri:
...
> 3. Our local override mechanism is Debian-specific
> 
>    AFAIK the "#include <local/$profile>" thing is the norm only on
>    Debian and derivatives. Christian, what do you do at OpenSUSE?

openSUSE also includes the local/ files - but since aa-logprof always 
updates the main profile file, the local/ files are not too useful.
(Changing aa-logprof to use the local/ include is on my TODO list, but 
it's far from being top priority, and probably needs some other changes 
first.)

> > Why is /etc/apparmor.d/cache/ not somewhere else?
> > If the reason is to not have a dependency on /var/ being mounted
> 
> I bet this is exactly the reason (we want to load policy ASAP in the
> boot process), but I've been involved in this community only since
> 2013 so I can't tell for sure.

Exactly.

openSUSE uses /var/lib/apparmor/cache/ - with the default BTRFS layout, 
it's part of the root partition. 

With non-default partitioning and /var/ on a separate partition, this 
will indeed introduce a dependency on /var/lib/ being mounted. 
That makes /var/lib/apparmor/cache/ less perfect, but the decision was 
made against having a binary cache in /etc/. Oh, and the person who 
argued most against having the cache in /etc/ officially allowed me to 
blame him if /var/lib/apparmor/cache/ causes issues *eg*


Regards,

Christian Boltz
-- 
Journal is just for "fun" (well, strange values of "fun")
for now and the foreseeable future.
[Stefan Seyfried in opensuse-factory]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20171126/934fed6f/attachment.sig>