Comment # 23 on bug 1065388 from Christian Boltz

Comments 19..22 are handled in bug 1206957 - please ignore them here since this
bugreport is already long enough.

Actually I wonder - is there anything left in this old bugreport or can we
close it?

The only remaining thing I noticed are the comments 17 and 18. They include the
idea of creating abstractions/groff with lots of '/usr/bin/$whatever mrix,'
rules. In upstream AppArmor, we tend to avoid execute rules in abstractions
(because it makes using other execute modes like Px hard), therefore I'm not
sure if I like your idea. OTOH, having an abstraction with all the groff
helpers looks useful.

Maybe a solution would be to _only_ allow executing all the helpers, but not
groff and nroff itsself so that people could still run groff or nroff with Px
or Cx, and then include the abstraction in that separate profile.

Werner, since the proposed abstraction is quite old, can you please have a
quick look at it if the list of helpers is still up-to-date before I finally
submit it upstream?