Hello, Am Sonntag, 1. Oktober 2023, 20:43:19 CEST schrieb Thorsten Kukuk:
On Sat, Sep 30, Andrei Borzenkov wrote:
On 29.09.2023 22:11, Martin Schreiner via openSUSE Factory wrote:
You immediately get problems with AppArmor and SELinux. You cannot assign more than one label to one file.
Since how man years are we now using libalternatives with AppArmor and SELinux? I haven't heard from any problems.
I don't remember a bugreport with AppArmor and libalternatives. However, my guess is that the main reason is that so far the programs using libalternatives don't have an AppArmor profile. (Actually I have a few profiles that include read access to /usr/share/libalternatives/, for example the firewalld profile from the apparmor.d project [1].) What could happen is: Programs using libalternatives need to be able to read the config files in /usr/share/libalternatives/, /etc/libalternatives (_guessed_, doesn't exist on my system) and ~/.config/libalternatives.conf If the profile doesn't allow reading files in /usr/share/libalternatives/, I'd guess that things might break in funny ways (I admit that I didn't check the actual libalternatives/alts behaviour in this case). If the profile "just" doesn't allow to read the override in /etc/ or ~/.config/libalternatives.conf, then I'd guess that "just" the system/ user-specific config is ignored. In addition to that, programs that get started using the "alts" binary need an additional exec rule for /usr/bin/alts if the calling process is confined with a profile. So if a program comes with an AppArmor profile and later gets changed to use libalternatives, the profile will need these additions. For completeness: AppArmor rules get checked after resolving symlinks, which means: with update-alternatives symlinks, only permissions for the "real" file are needed.
3 - libalternatives supports user overrides: non-root users can override the alternatives by creating their own local preference file in $HOME/.config/libalternatives.conf. This may be done by invoking "alts" directly, as it serves both purposes.> This will turn into support nightmare. It need a tool to query and display what a given program actually is showing where this decision comes from (similar to systemd-cat).
Such a tool would indeed be helpful for debugging. Maybe as a verbose version of alts -t, additionally saying something like "found in $file"?
Since how many years are we doing this now already? I'm not aware of any support nightmares, not even of support incidents.
I'm not surprised, but let me ask some evil question: - how many users know that they can define their own preferences? - out of those, how many really did so? - out of those, how many didn't remember it when running into problems? I'd expect that the answer to the second question is a quite small number, and for the third question it's close to zero. To really find out, I created a small poll: https://dud-poll.inf.tu-dresden.de/libalternatives/ [2] Please vote - especially if you have a ~/.config/libalternatives.conf (The "what's that file?" and "I know it, but don't have one" options are there for completeness, but the numbers for these are probably not too interesting.) As a side note: I checked the content of the libalternatives1 and alts package, and miss documentation for - the file format in /usr/share/libalternatives/ - what the corresponding path in /etc/ is - the file format of ~/.config/libalternatives.conf (and BTW: why a single file instead of a directory structure like in /usr/?) Can you please add this to the README and/or the alts manpage? All these things are probably not too hard to find out, but I still prefer having some clear documentation ;-)
It's always interesting to see how skeptical people are about change, even though they've been using it for years without noticing it.
Indeed. I'd say that knowing about changes is fine, but often (not always ;-) they are less scary than they sound. Regards, Christian Boltz [1] The apparmor.d project provides a set of ~1500 profiles. As a random sample: From the processes running on my laptop, about 70% are confined - including most of KDE. If someone is interested in testing this profile set - it's available in OBS home:cboltz. (Let me warn you that they are currently still in complain mode. I'll switch them to enforce mode sooner or later without a warning on this ML ;-) [2] That service is similar to doodle, but privacy-friendly (even entering your name is optional) -- If we get Flemish, we should get also Plat-Duutsch, Beirisch and Östereichish. (The last two are the same, but don't tell them that, because the inhabitants think they are not, because they are better then the other. :) [houghi in opensuse]