http://bugzilla.opensuse.org/show_bug.cgi?id=1150338 http://bugzilla.opensuse.org/show_bug.cgi?id=1150338#c10 --- Comment #10 from Christian Boltz --- (In reply to Martin Wilck from comment #8)

(In reply to Christian Boltz from comment #7)

...

(For example, my current tumbleweed has /etc/alternatives/gs -> /usr/bin/gs.bin - I never did any manual changes to it, so it seems to be the current default.)

The default changes to /usr/bin/gs.wrap if you install the gswrap package.

Well, _if_. On the latest Tumbleweed (dup'ed since years), gswrap doesn't get installed automatically, therefore I'm quite sure that 99% of the Tumbleweed users still use gs.bin. Even with the quite broad profile we have now, I don't see the point in removing the AppArmor profile because - removing it makes things less secure (even the very broad profile can for exammple prevent executing binaries) - most people (still?) use gs.bin because it's (still?) the default on a regularly dup'ed Tumbleweed - even if at some point in the future most people use gs.wrap, we shouldn't reduce security for those using gs.bin

Anyway, as I've been asked to review https://build.opensuse.org/request/show/730528 - is there consensus about the AA profile?

I strongly recommend to keep the profile (and to extend it to also attach to gs.bin, not only gs) -- You are receiving this mail because: You are on the CC list for the bug.