[Pkg-openldap-devel] Bug#488409: Bug#488409: patch for compatibility with apparmor

Russ Allbery rra at debian.org
Sat Jun 28 18:21:12 UTC 2008


Steve Langasek <vorlon at debian.org> writes:

> The attached patch has been applied to the Ubuntu openldap2.3 source
> package, for compatibility with apparmor.  Without this patch, applying an
> apparmor policy to slapd causes all of slap* to break, because these are
> installed as symlinks and as a result the same apparmor policy is applied to
> them when it shouldn't be - preventing, e.g., using slapadd/slapcat to
> read/write to an ldif in a user's home directory.
>
> The following explanation is provided in the changelog:
>
>   - debian/rules, debian/slapd.links: use hard links to slapd instead of
>     symlinks for slap* so these applications aren't confined by apparmor
>     (LP: #203898)
>
> Should we incorporate this patch into the Debian package?  FWIW, the Ubuntu
> openldap2.3 package has been patched somewhat extensively for apparmor
> support, but given that Debian doesn't support apparmor I don't see the
> point in bloating the package with a bunch of apparmor code; whereas I can't
> see anything that would be a problem with switching the symlinks to hard
> links, since we're maintaining a static list of them either way.

Seems fine to me.  I don't believe Policy has any position one way or the
other on links within a directory and it should be equivalent.

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>





More information about the Pkg-openldap-devel mailing list