[Pkg-samba-maint] Bug#896080: [pkg-apparmor] Improve samba/AppArmor integration

Christian Boltz debian-bugs at cboltz.de
Sun Feb 24 22:33:29 GMT 2019 

Hello,

I agree that local/ isn't the perfect place. That said...

Am Sonntag, 24. Februar 2019, 20:42:55 CET schrieb Mathieu Parent:
> Le dimanche 24 février 2019, intrigeri <intrigeri at debian.org> a écrit:
> > intrigeri:
> >> So I'll add this:
> >>    #include if exists /etc/apparmor.d/samba/smbd-shares
> > 
> > I mean:
> >    #include if exists <samba/smbd-shares>
> 
> I'm OK with this path and understand your rationale. However, I try to
> avoid distribution divergence. 

We had a similar discussion upstream quite a while (years?) ago, but 
didn't reach an agreement on which path to use.

I'm not sure if I like your samba/... path - it's not bad on itsself, 
but it opens a can of worms. Let's assume for a moment that more 
programs auto-generate profile sniplets. Do we really want to have one 
directory for each of them (always holding a single file)? I'm afraid 
that might produce an interesting forest in /etc/apparmor.d/...

Counter-proposal: What about  /etc/apparmor.d/autogenerated/$whatever  ? 
That directory could be used by multiple programs.

> Christian: any chance that the
> opensuse path changes too?

We'll have to migrate existing users (and therefore probably have to 
support both paths in the samba profile for a while). 
That makes things more interesting[tm], but won't stop me from keeping 
the path in sync ;-)


Another note: update-apparmor-samba-profile does

    test -e "$profilesniplet" || silentexit "apparmor profile snippet 
                                             not available"

which means you _have to_ ship a (possibly empty) sniplet to ensure the 
script works.

The alternative would be to change that test to something like

    test -d "/etc/apparmor.d/autogenerated" || silentexit "directory for
                      autogenerated profile sniplets doesn't exist"


Regards,

Christian Boltz
-- 
> Das ist wieder so ein schöner Popcorn-Thread, zu dem ich
> meinen Senf dazu geben will:
Popcorn mit Senf....<schauder/> :-)
[> Jens Nixdorf und Rainer Koenig in suse-linux]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20190224/cd7548ac/attachment-0001.sig>

More information about the Pkg-samba-maint mailing list