[Bug 713647] New: move apparmor profiles to /lib
https://bugzilla.novell.com/show_bug.cgi?id=713647 https://bugzilla.novell.com/show_bug.cgi?id=713647#c0 Summary: move apparmor profiles to /lib Classification: openSUSE Product: openSUSE 12.1 Version: Factory Platform: Other OS/Version: Other Status: NEW Severity: Enhancement Priority: P5 - None Component: AppArmor AssignedTo: jeffm@novell.com ReportedBy: lnussel@novell.com QAContact: qa@suse.de CC: suse-beta@cboltz.de Found By: --- Blocker: --- /etc/apparmor.d and /etc/apparmor/profiles contain lots of files that are not really meant to be edited. Also, files in /etc/apparmor.d are auto activated with no proper way for the admin to override. I'd suggest to move all those files to /lib/apparmor/profiles instead. Then use symlinks in /etc/apparmor.d to enable profiles. There should be a command line tool like chkconfig (or chkconfig extended) to view and enable/disable profiles. That way would be consistent with the way systemd stuff and also good old init scripts work. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=713647 https://bugzilla.novell.com/show_bug.cgi?id=713647#c1 --- Comment #1 from Christian Boltz <suse-beta@cboltz.de> 2011-08-23 14:10:03 CEST --- AppArmor 2.7 (beta1) has an aa-disable tool that creates a symlink to disabled profiles in /etc/apparmor.d/disabled/. That already solves one part of your request as soon as Jeff updates the AppArmor package. I have no idea why there is no aa-enable tool (maybe because it it would be too simple - just delete the symlink ;-) - I'll ask this upstream. Regarding moving the "extra" profiles to /lib, I'll start a discussion upstream. I'd like to avoid an openSUSE-specific solution here. For example, aa-genprof uses the "extra" profiles as base and therefore needs to be able to find them, which means the needed change is more than "move the files to /lib/". -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=713647 https://bugzilla.novell.com/show_bug.cgi?id=713647#c2 John Johansen <jrjohansen@verizon.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jrjohansen@verizon.net --- Comment #2 from John Johansen <jrjohansen@verizon.net> 2011-08-23 14:20:10 UTC --- All the profile files and config files in /etc/apparmor and /etc/apparmor.d/ can/should be able to be hand edited. The binary cache files shouldn't be, and we are working towards moving those out of /etc/apparmor.d/cache to the appropriate place. The appropriate place for the "extra" inactive profiles is an interesting discussion and seems to be rooted in packaging and system config philosophies, its one that comes up almost yearly and yet has only resulted in the status quo. If Christian wants to reopen the discussion more power to him. The profiles in /etc/apparmor.d/ aren't so much activated as they are the active profile set, the intention being inactive profiles are stored else where. We are moving in the direction of an aa-enable/aa-disable tooling, with aa-disable being a first pass. I think the aa-enable tool didn't happen because its is currently just removing a symlink so low priority. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=713647 https://bugzilla.novell.com/show_bug.cgi?id=713647#c Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|jeffm@suse.com |suse-beta@cboltz.de -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=713647 https://bugzilla.novell.com/show_bug.cgi?id=713647#c3 --- Comment #3 from Christian Boltz <suse-beta@cboltz.de> 2012-09-26 01:22:37 CEST --- The next version of AppArmor will have the extra profiles in /usr/share/apparmor/extra-profiles/. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=713647 https://bugzilla.novell.com/show_bug.cgi?id=713647#c4 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #4 from Christian Boltz <suse-beta@cboltz.de> 2014-03-21 00:29:39 CET --- Fixed in AppArmor 2.8.95 (aka 2.9 beta1), which I'll submit soon (home:cboltz will have the updated package in some minutes, Factory will have to wait one or two weeks) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=713647 https://bugzilla.novell.com/show_bug.cgi?id=713647#c5 --- Comment #5 from Bernhard Wiedemann <bwiedemann@suse.com> 2014-09-07 22:00:09 CEST --- This is an autogenerated message for OBS integration: This bug (713647) was mentioned in https://build.opensuse.org/request/show/247918 Factory / apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com