[apparmor] [Patch 0/1] RFC: apparmor profile directory
Seth Arnold
seth.arnold at gmail.com
Thu Jul 5 23:09:42 UTC 2012
On Sun, Jul 1, 2012 at 4:55 AM, Christian Boltz <apparmor at cboltz.de> wrote:
> I'd vote for a directory name that is more human-readable than the sid
> ;-)
>
> What about using the sid + a readable profile name with non-allowed
> characters replaced?
> Example:
> 42-bin.ping # sid 42, profile for /bin/ping
>
> I'd replace [^a-zA-Z0-9] with dots. This will replace some characters
> that are allowed in a file name, but IMHO that's better than having
I generally favor giving the human operators a fighting chance but I'm
afraid that someone will try to find a mapping between these names and
the names of the files in /etc/apparmor.d/. Either we should make that
mapping 100% explicit and use the same names or we should be very
upfront that the name attached to the sid is for _human_ inspection
and use and not to be used for automated policy tools. (Though these
sorts of hints are always somehow forgotten.)
More information about the AppArmor
mailing list