[apparmor] Sharing profiles maintenance once they're ready for production
apparmor at cboltz.de
Mon Mar 10 21:06:11 UTC 2014
Am Freitag, 17. Januar 2014 schrieb intrigeri:
> 1. I've little experience maintaining profiles in a cross-distro way,
> but I suspect that tunables should be enough to cope with most
> distribution-specific deltas. What do you think?
I fully agree - having cross-distro profiles (if needed, with some
differences in tunables) sounds like a good goal.
> 2. Was this discussed previously? Was the idea of a cross-distro VCS
> repository for shared maintenance of profiles investigated yet?
It was discussed, but without a real solution.
As you already noticed, there's lp:apparmor-profiles, and the way it is
handled makes it quite (and IMHO needlessly) hard to share the profile
with other distributions.
For openSUSE, I package only the profiles in lp:apparmor, and submit my
changes back to lp:apparmor. This means the profiles shipped in the
AppArmor tarball will always work on openSUSE , but it also means I
don't have lots of profiles to ship.
Some openSUSE packages also contain their own profile, but I don't have
a good overview which packages contain profiles. Those profiles are
usually maintained by the package maintainer.
This also opens up an important question: who does the profile
- If the packager does it, then it's understandable that he wants to
have the profile in his package, which also makes it easy for him to
update it. (Ideally the profile would be in $package's upstream
tarball, but this rarely happens.)
- If $package maintainer doesn't care and bugreports about the profiles
end up at the AppArmor packager, then having the profiles in the
apparmor-profiles package (and in lp:apparmor) is the best solution.
This also tends to be a fast and efficient way - if you avoid sending
20 profile patches per day, you'll usually get a review within some
That all said: Yes, I'd really like to have a better way to share
profiles with other distributions. We "just" need to decide about the
I'd be happy with adding profiles to lp:apparmor/profiles/apparmor.d/ -
any other opinions?
 at least for the programs I'm using regularly ;-)
Hier gibt es zB eine Adress-DB für einige Leute und allein schon die
gleichzeitige Verwendung dieser DB ist eher die Ausnahme.
Wahrscheinlich verdienen die Datenbanken hier die Bezeichnung gar nicht.
Wenn du willst, kannst du auch dazu gemeinsam genutzter strukturierter
Notizzettel sagen. [Al Bogner in suse-linux]
More information about the AppArmor