[apparmor] [patch] Change /bin/ paths in profiles to also match on /usr/bin/
Christian Boltz
apparmor at cboltz.de
Sat Oct 3 18:40:23 UTC 2015
Hello,
Am Montag, 21. September 2015 schrieb Simon Deziel:
> On 09/18/2015 06:09 PM, Seth Arnold wrote:
> > On Fri, Sep 18, 2015 at 09:54:58PM +0200, Christian Boltz wrote:
> >> oftc_ftw reported on IRC that Arch Linux has a symlink /bin ->
> >> /usr/bin. This means we have to update paths for /bin/ in several
> >> profiles to also allow /usr/bin/
> >
> > I think this would be better solved by alias rules, one
> >
> > alias /bin -> /usr/bin,
>
> I like this idea and I'm wondering why it wasn't used for the
> transition from /var/run to /run?
Good question. Maybe nobody thought of it, or we thought that setting up
aliases should be reserved to the user (not to shipped policy).
I can see why an alias would make the profiles easier to read.
OTOH, it can also be confusing because there's an external file
"modifying" the profile - so people reading the profile might wonder why
/bin/... works even if the binary was moved to /usr/bin/...
Therefore my personal opinion is that /{,usr/}/bin/... is the better
choice, even if it the alternation might make the profile a bit harder
to read (but still easier than having to look up aliases in another
file).
Regards,
Christian Boltz
--
Was glaubst Du, wie oft ich fluche, daß diese Windowskisten erst ein
explizites 'Nun speichere auch endlich in die Zwischenablage'
wünschen und ich immer erst ins Leere klicke, wenn ich's eilig habe,
nur weil ich ein strg-c vergessen habe? Menno, können die sich nicht
an den üblichen *nix-Standard halten? [Helga Fischer in suse-linux]
More information about the AppArmor
mailing list