[apparmor] Fwd: Bug#735470: Could be implemented centrally with a dpkg trigger instead of requiring every package shipping an apparmor file to use dh_apparmor
seth.arnold at canonical.com
Wed Jan 15 19:14:07 UTC 2014
On Wed, Jan 15, 2014 at 07:30:52PM +0100, intrigeri wrote:
> Didier Raboud suggested to use dpkg triggers for what dh_apparmor
> does, and is happy to give a hand. See the attached message.
> Thank you, Didier!
> What do the original dh_apparmor authors / Ubuntu folks think?
> Any reason Didier missed, that explains why this might not be that
> good an idea?
Thanks for forwarding this along intrigeri.
> From: Didier Raboud <odyx at debian.org>
> While updating src:cups to solve #735313, I went and took a look at
> dh-apparmor and I gained the convictions that this would be better
> implemented as part of a centralized dpkg-trigger (in apparmor probably)
> instead of being replicated across all packages shipping apparmor files
> (although this is significantly helped with dh-apparmor).
> apparmor could have an 'interest /etc/apparmor.d/' triggers file and its
> postinst would then do the machinery to create (or remove) the
> /etc/apparmor.d/local/* files accordingly.
This does sound nice, but the next part worries me..
> This could also have the side benefit of only running apparmor_parser
> once for all files installed at the same time.
When would this single apparmor_parser run happen? It needs to happen
before daemons are started or restarted in their postinst scripts,
otherwise the AppArmor policy won't be enforced.
> You might be interested in taking a look at cups's postinst to see how
> timestamps are kept to avoid useless re-processing, although an initial
> trigger processing code could just replicate dh-apparmor's postinst code
> for all apparmor profiles found.
> I'd be happy to help with this feature, just ask if you need help!
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 490 bytes
Desc: Digital signature
More information about the AppArmor