[Bug 1150338] Drop Ghostscript apparmor profile as it is useless
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1150338
http://bugzilla.opensuse.org/show_bug.cgi?id=1150338#c10
--- Comment #10 from Christian Boltz
(In reply to Christian Boltz from comment #7)
(For example, my current tumbleweed has /etc/alternatives/gs -> /usr/bin/gs.bin - I never did any manual changes to it, so it seems to be the current default.)
The default changes to /usr/bin/gs.wrap if you install the gswrap package.
Well, _if_. On the latest Tumbleweed (dup'ed since years), gswrap doesn't get installed automatically, therefore I'm quite sure that 99% of the Tumbleweed users still use gs.bin. Even with the quite broad profile we have now, I don't see the point in removing the AppArmor profile because - removing it makes things less secure (even the very broad profile can for exammple prevent executing binaries) - most people (still?) use gs.bin because it's (still?) the default on a regularly dup'ed Tumbleweed - even if at some point in the future most people use gs.wrap, we shouldn't reduce security for those using gs.bin
Anyway, as I've been asked to review https://build.opensuse.org/request/show/730528 - is there consensus about the AA profile?
I strongly recommend to keep the profile (and to extend it to also attach to gs.bin, not only gs) -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com