[apparmor] Location for extra profiles

Steve Beattie steve at nxnw.org
Tue Aug 23 21:48:21 UTC 2011 

On Tue, Aug 23, 2011 at 07:51:38AM -0700, John Johansen wrote:
> On 08/23/2011 05:14 AM, Christian Boltz wrote:
> > there's an openSUSE enhancement request to move the "extra" profiles to 
> > /lib/apparmor/profiles/.
> > 
> > See https://bugzilla.novell.com/show_bug.cgi?id=713647 for details.
> > (You can also comment there so that I don't have to forward the answer.)
> > 
> > Do you like the idea of moving the "extra" profiles to /lib/?
> > What changes would be needed so that genprof still finds them?
> > 
> Well I am not opposed to re-examining this as I don't really like the set
> up we currently have. I am not opposed to moving the "extra" profiles out
> of /etc/ but I don't really like /lib/ as a location (though I can see
> why people would choose it).

As upstream, I don't think we can really dictate to distributions
where they should place them. For the record, the extras profiles
get installed into /usr/share/doc/apparmor-profiles/extras/ on Ubuntu.

I think probably the best thing would be if the location that
distribution vendors chose to place them was captured in a
configuration file in /etc/apparmor/; that way, tools to manage
profiles would know where to look for the extras profiles.

> Just where the "extra" profiles should go will depend on your pov of how
> they should interact with the active profile set and what should be done
> at the packaging level.
> 
> For example should the "extra" profiles really be a reference set that
> the packaging system expects not to change, with the active set symlinking
> to them.  Or do you want the packaging system to actively manage the
> active set as conf files so that when a conflict occurs it is immediately
> apparent.

Historically, the upstream expectation has been that the "extras"
profiles are incomplete and could/should be used as a starting point
for profile development (with the hope that improvements would be
contributed back). It was the way for profile developers to collaborate
before the apparmor repository (now dead) was developed. Ideally,
policy distribution and development would get separated from
implementation.

The apparmor-profiles project https://launchpad.net/apparmor-profiles/
is a baby step towards doing this in a bzr/vcs tree. One issue
is that as structured currently it's hard to merge improvements
across distributions the way the current extras works (as there's no
distinction between distros). We also haven't been advertising it very
widely, and as such, not much profile development has occurred there.

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20110823/d826553f/attachment.pgp>

More information about the AppArmor mailing list