[apparmor] [PATCH 2/4] 0002-aa-easyprof-policy.patch

Christian Boltz apparmor at cboltz.de
Wed Feb 8 00:21:29 UTC 2012


Am Dienstag, 7. Februar 2012 schrieb Jamie Strandboge:
> On Tue, 2012-02-07 at 16:50 +0100, Christian Boltz wrote:

> > Is the "l" permission really needed for /opt?
> Maybe? I thought it conceivable that applications might have their own
> tmp directory in /opt which is why I added 'l' (ie, we do that in the
> user-tmp abstraction). Of course, that falls apart because I forgot
> 'w'. Maybe I'll drop 'l' for now and add 'l' if we need 'w' later on.
> It is not known if this is strictly required, but the point of this
> policy-group is to make sure that applications can do mostly whatever
> they need to in /opt/@{APPNAME}/ (excepting execs). We'll know more
> when people start trying to use the aa-easyprof.

Easy or not - I don't really like the idea to allow write permissions in 
/opt by default. Let's see what happens without w and l ;-)

The more important question: What about the second half of my mail? Let 
me re-insert it:

> > You should also allow to create ~/.cache, ~/.config ~/.local and 
> > ~/.local/share (in other words: include abstractions/xdg-desktop).


Christian Boltz
Übrigens: Wenn man feststellen will, wie leer man ist: Einfach ein paar
Flaschen Whiskey oder so nehmen und so lange in dem Mund schütten, bis
man "voll" ist. Das Ergebnis kann man dann bei mir melden. :-))
[Konrad Neitzel in suse-linux]

More information about the AppArmor mailing list