(In reply to Martin Wilck from comment #8) > (In reply to Christian Boltz from comment #7) > > (For example, my current tumbleweed has > > /etc/alternatives/gs -> /usr/bin/gs.bin - I never did any manual changes to > > it, so it seems to be the current default.) > > The default changes to /usr/bin/gs.wrap if you install the gswrap package. Well, _if_. On the latest Tumbleweed (dup'ed since years), gswrap doesn't get installed automatically, therefore I'm quite sure that 99% of the Tumbleweed users still use gs.bin. Even with the quite broad profile we have now, I don't see the point in removing the AppArmor profile because - removing it makes things less secure (even the very broad profile can for exammple prevent executing binaries) - most people (still?) use gs.bin because it's (still?) the default on a regularly dup'ed Tumbleweed - even if at some point in the future most people use gs.wrap, we shouldn't reduce security for those using gs.bin > Anyway, as I've been asked to review > https://build.opensuse.org/request/show/730528 - is there consensus about > the AA profile? I strongly recommend to keep the profile (and to extend it to also attach to gs.bin, not only gs)