[Pkg-samba-maint] Bug#896080: [pkg-apparmor] Improve samba/AppArmor integration

Mathieu Parent math.parent at gmail.com
Mon Feb 25 10:02:24 GMT 2019 

Le dim. 24 févr. 2019 à 23:33, Christian Boltz <debian-bugs at cboltz.de> a écrit :
>
> Hello,

Hello,

> I agree that local/ isn't the perfect place. That said...
>
> Am Sonntag, 24. Februar 2019, 20:42:55 CET schrieb Mathieu Parent:
> > Le dimanche 24 février 2019, intrigeri <intrigeri at debian.org> a écrit:
> > > intrigeri:
> > >> So I'll add this:
> > >>    #include if exists /etc/apparmor.d/samba/smbd-shares
> > >
> > > I mean:
> > >    #include if exists <samba/smbd-shares>
> >
> > I'm OK with this path and understand your rationale. However, I try to
> > avoid distribution divergence.
>
> We had a similar discussion upstream quite a while (years?) ago, but
> didn't reach an agreement on which path to use.
>
> I'm not sure if I like your samba/... path - it's not bad on itsself,
> but it opens a can of worms. Let's assume for a moment that more
> programs auto-generate profile sniplets. Do we really want to have one
> directory for each of them (always holding a single file)? I'm afraid
> that might produce an interesting forest in /etc/apparmor.d/...
>
> Counter-proposal: What about  /etc/apparmor.d/autogenerated/$whatever  ?
> That directory could be used by multiple programs.

OK for me. Intrigeri?

> > Christian: any chance that the
> > opensuse path changes too?
>
> We'll have to migrate existing users (and therefore probably have to
> support both paths in the samba profile for a while).
> That makes things more interesting[tm], but won't stop me from keeping
> the path in sync ;-)
>
>
> Another note: update-apparmor-samba-profile does
>
>     test -e "$profilesniplet" || silentexit "apparmor profile snippet
>                                              not available"
>
> which means you _have to_ ship a (possibly empty) sniplet to ensure the
> script works.
>
> The alternative would be to change that test to something like
>
>     test -d "/etc/apparmor.d/autogenerated" || silentexit "directory for
>                       autogenerated profile sniplets doesn't exist"

I prefer testing the parent directory.

>
> Regards,
>
> Christian Boltz


Regards
-- 
Mathieu

More information about the Pkg-samba-maint mailing list