[apparmor] Location for extra profiles

John Johansen john.johansen at canonical.com
Tue Aug 23 14:51:38 UTC 2011


On 08/23/2011 05:14 AM, Christian Boltz wrote:
> Hello,
> 
> there's an openSUSE enhancement request to move the "extra" profiles to 
> /lib/apparmor/profiles/.
> 
> See https://bugzilla.novell.com/show_bug.cgi?id=713647 for details.
> (You can also comment there so that I don't have to forward the answer.)
> 
> Do you like the idea of moving the "extra" profiles to /lib/?
> What changes would be needed so that genprof still finds them?
> 
Well I am not opposed to re-examining this as I don't really like the set
up we currently have. I am not opposed to moving the "extra" profiles out
of /etc/ but I don't really like /lib/ as a location (though I can see
why people would choose it).

Just where the "extra" profiles should go will depend on your pov of how
they should interact with the active profile set and what should be done
at the packaging level.

For example should the "extra" profiles really be a reference set that
the packaging system expects not to change, with the active set symlinking
to them.  Or do you want the packaging system to actively manage the
active set as conf files so that when a conflict occurs it is immediately
apparent.



More information about the AppArmor mailing list