[apparmor] Packaging of Profiles

[Christian Boltz]

Hello,

Am Freitag, 6. August 2010 schrieb John Johansen:
> Ideally the profile merge be done by a dedicated tool that
>  understands apparmor profiles and can take into account changes in
>  profile structure, rule reordering, includes, pattern matching and
>  permissions.  However lacking that tool a 3 way diff text merge
>  would be better than nothing.

Just an idea: would it be possible to generate an audit.log-like file 
from a profile? With this method, logprof could read the generated log. 
The advantage is that logprof already has the code for merging etc. - 
there would only be a need for two things:
a) write a profile-to-audit.log converter
b) find a way for logprof to handle things like variables, wildcards 
   etc. (maybe as a commandline flag)

The only remaining problem I see is how to give logprof a hint which 
execution method (ux, ix etc.) should be used - this can probably be 
solved with a slightly changed log format. Even if not, profile merging 
would still be much easier than currently.


Maybe it is also possible for logprof to read two profiles (without 
converting them to audit.log format before) and merge them without too 
much coding work?


BTW: Talking about logprof - it seems the current version on openSUSE 
11.2 and 11.3 can't handle execute events in the log file and create a 
null-xy hat instead. Is there a chance to get this fixed?


Regards,

Christian Boltz
-- 
> [suse-talk] _DU_ fehlst uns da gerade noch ;-) *SCNR* *g*
Genau. Wir brauchen doch jemanden, der die Marinade macht. Also,
Thilo, sei brav und komm mit nach suse-talk, wir brauchen dich! :)
[> Matthias Houdek und David Haller zu Thilo Alfred Bätzig in suse-
linux]