[pkg-apparmor] Bug#843461: apparmor: Support usrmerge
Christian Boltz
debian-bugs at cboltz.de
Tue Nov 8 14:58:36 UTC 2016
Hello,
Am Dienstag, 8. November 2016, 15:06:50 CET schrieb intrigeri:
> Christian: did OpenSUSE go through something like usrmerge? If you
> did, how did you handle it?
openSUSE moved lots of binaries, but not all from /{s,}bin/ to
/usr/{s,}bin/
> Besides, they
> significantly increase policy compilation time.
I never benchmarked that - do you have some numbers?
> But I recommend against using alias rules by default, system-wide, in
> a distribution like Debian: they cause too much action at a distance
> and subtle breakage, which will make it hard for users to debug issues
> themselves, and for us to understand their bug reports.
Right. Shipping aliases _will_ confuse users and make things harder.
> So the only option I can think of is going through all profiles we
> ship, and making sure that every instance of /bin becomes /{usr/,}bin.
That's exactly what I did - for example, the /bin/ping profile became
/{usr/,}bin/ping. These changes are all in the upstream bzr since a long
time.
To keep the profile names readable, I'd recommend to use something like
profile ping /{usr/,}bin/ping
(and yes, exactly for the ping example, I didn't do that ;-)
> This seems doable since we ship relatively few profiles, spread over
> a relatively small number of packages, and they contain few /bin/*
> permissions. A quick look points to a sid system gives me these
> packages needing such changes: evince, apparmor-profiles-extra,
> libvirt-daemon-system, cups-daemon, apparmor-profiles, apparmor,
> telepathy-mission-control-5 (non-exhaustive list). Thankfully, this
> will benefit all other distros as well, and could even been done
> collaboratively if anyone else than Debian is interested :)
That reminds me of the profile repo which would make sharing profiles
and cross-contributions much easier ;-)
I know everybody is always busy etc., so maybe we can start with a small
step like a place where I can find all profiles Debian ships at one
location?
For openSUSE, I have the apparmor-profiles-collector package at
http://download.opensuse.org/repositories/home:/cboltz/openSUSE_Factory/noarch/ [1]
You can unpack the RPM package with rpm2cpio $file | cpio -dium
or browse it using mc ;-)
Currently, I simply copy the profiles and record from which package they
come. If you are interested in my (trivial) script doing this, have a
look at
https://build.opensuse.org/package/show/home:cboltz/apparmor-profile-collector
I'm sure it would be trivial to get "Debian" and "openSUSE" directories
in the apparmor-profiles git repo. Even without all the metadata etc.
we discussed, this would be much more useful than the current state.
Regards,
Christian Boltz
[1] it will probably have to move to a separate repo to avoid that it
collects the profiles from the latest apparmor-profiles package in
this repo instead of the apparmor-profiles used in each
distribution, but this "only" affects profiles from AppArmor bzr.
--
Life used to be simpler when apple and blackberry were just fruits!
[from https://bugzilla.novell.com/quips.cgi]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/attachments/20161108/8ef161d8/attachment.sig>
More information about the pkg-apparmor-team
mailing list