[Pkg-samba-maint] Bug#896080: [pkg-apparmor] Improve samba/AppArmor integration
intrigeri
intrigeri at debian.org
Tue Feb 26 07:57:01 GMT 2019
Hi,
Christian Boltz:
> I'm not sure if I like your samba/... path - it's not bad on itsself,
> but it opens a can of worms.
… and it's actually an even deeper can of worms: arguably /etc is not
the right place to store auto-generated files that the local
administrator should not touch. They should be in /var. But from
a Debian perspective, it's way too late in the Buster dev cycle to
tackle this related problem.
> Let's assume for a moment that more
> programs auto-generate profile sniplets. Do we really want to have one
> directory for each of them (always holding a single file)? I'm afraid
> that might produce an interesting forest in /etc/apparmor.d/...
On my system I currently have 43 regular files (profiles) at the top
level under /etc/apparmor.d/, 5 standard directories created by the
apparmor package, and a couple program-specific directories (libvirt,
lxc). It's not obvious to me what's the problem with creating a few
more directories in there. Can you please explain? :)
> Counter-proposal: What about /etc/apparmor.d/autogenerated/$whatever ?
> That directory could be used by multiple programs.
If there's a good reason why creating per-program directories
(= namespaces) directly under /etc/apparmor.d/ and why /var is not an
option, fine. But then the proverbial $someone needs to migrate
libvirt there, otherwise we're just creating a N+1'th standard¹ and
making things more inconsistent than they already are.
Wrt. Debian and Buster: this path is mostly an internal implementation
detail and it seems easy to change it later. Since there's no clear
consensus at this point, I would not block on this conversation and
I recommend uploading src:samba using the path I've already added
support for. Then we can have this conversation in a relaxed manner
instead of under a super-tight schedule, aiming at finding a great
solution for Bullseye (Debian 11), ideally under /var.
[1] https://xkcd.com/927/
Cheers,
--
intrigeri
More information about the Pkg-samba-maint
mailing list