[apparmor] Fwd: Bug#735470: Could be implemented centrally with a dpkg trigger instead of requiring every package shipping an apparmor file to use dh_apparmor

Didier 'OdyX' Raboud odyx at debian.org
Thu Jan 16 10:11:22 UTC 2014

Hi Seth,

Le mercredi, 15 janvier 2014, 11.14:07 Seth Arnold a écrit :
> On Wed, Jan 15, 2014 at 07:30:52PM +0100, intrigeri wrote:
> > From: Didier Raboud <odyx at debian.org>
> > apparmor could have an 'interest /etc/apparmor.d/' triggers file and
> > its postinst would then do the machinery to create (or remove) the
> > /etc/apparmor.d/local/* files accordingly.
> This does sound nice, but the next part worries me..
> > This could also have the side benefit of only running
> > apparmor_parser once for all files installed at the same time.
> When would this single apparmor_parser run happen? It needs to happen
> before daemons are started or restarted in their postinst scripts,
> otherwise the AppArmor policy won't be enforced.

As far as I understand deb-triggers' manpage, this can be enforced using 
'activate /etc/apparmor.d/', which will then make the trigger run "at 
the start of the configure operation", which ensures exactly what you 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140116/0d080911/attachment.pgp>

More information about the AppArmor mailing list