[Bug 881762] Yast2 removes #include <tunables/global> line from Apparmor profiles making them unusable
http://bugzilla.opensuse.org/show_bug.cgi?id=881762
--- Comment #17 from Christian Boltz
Hi Christian, I fully accept your comments.
To further the troubleshooting I have tried other archived OpenSUSE versions:
Wow, thanks!
v12.1 The clients are now called by their modern names (ie. no mention of Novel) and also work.
v12.2 This is where the clients stoip working (ie. when it re-writes the file in misses out the #include
line.
I downloaded the perl-apparmor and yast2-apparmor packages for 12.1 and 12.2,
unpacked them and checked the diff, which isn't too big.
The YaST changes are mostly text changes in help texts and error messages
(unless I overlooked something - I don't speak YCP).
The perl-apparmor changes are more code-related, but unfortunately I don't see
an obvious change that could cause the breakage with #include
One final thing before allowing this to rest;
I note that in the old "NovelApparmor" days, there was no directory called "/etc/apparmor.d/local/" which is, I assume, why the present yast2-apparmor does not allow you to select this directory when adding a new entry. The offending line appears to be in "/usr/share/YaST2/include/apparmor/profile_dialog.rb" line number 1308 -
validIncludes = [ "/etc/apparmor.d/abstractions", "/etc/apparmor.d/program-chunks", "/etc/apparmor.d/tunables"
Which I suspect it already on your (long) todo list.
Well, the question is if you want/need to add that if you edit a profile
manually. local/* is meant as "plugin" directory for upstream profiles so that
you can avoid editing the "official" profile (there's a TODO for the aa-* tools
to also work that way...). So if you already edit a profile, it doesn't make
too much sense to add an #include
participants (1)
-
bugzilla_noreply@novell.com