[Pkg-samba-maint] Bug#896080: [pkg-apparmor] Improve samba/AppArmor integration
Mathieu Parent
math.parent at gmail.com
Tue Feb 26 21:05:51 GMT 2019
Le mar. 26 févr. 2019 à 09:06, intrigeri <intrigeri at debian.org> a écrit :
>
> Hi,
>
> Christian Boltz:
> > I'm not sure if I like your samba/... path - it's not bad on itsself,
> > but it opens a can of worms.
>
> … and it's actually an even deeper can of worms: arguably /etc is not
> the right place to store auto-generated files that the local
> administrator should not touch. They should be in /var. But from
> a Debian perspective, it's way too late in the Buster dev cycle to
> tackle this related problem.
>
> > Let's assume for a moment that more
> > programs auto-generate profile sniplets. Do we really want to have one
> > directory for each of them (always holding a single file)? I'm afraid
> > that might produce an interesting forest in /etc/apparmor.d/...
>
> On my system I currently have 43 regular files (profiles) at the top
> level under /etc/apparmor.d/, 5 standard directories created by the
> apparmor package, and a couple program-specific directories (libvirt,
> lxc). It's not obvious to me what's the problem with creating a few
> more directories in there. Can you please explain? :)
>
> > Counter-proposal: What about /etc/apparmor.d/autogenerated/$whatever ?
> > That directory could be used by multiple programs.
>
> If there's a good reason why creating per-program directories
> (= namespaces) directly under /etc/apparmor.d/ and why /var is not an
> option, fine. But then the proverbial $someone needs to migrate
> libvirt there, otherwise we're just creating a N+1'th standard¹ and
> making things more inconsistent than they already are.
>
> Wrt. Debian and Buster: this path is mostly an internal implementation
> detail and it seems easy to change it later. Since there's no clear
> consensus at this point, I would not block on this conversation and
> I recommend uploading src:samba using the path I've already added
> support for. Then we can have this conversation in a relaxed manner
> instead of under a super-tight schedule, aiming at finding a great
> solution for Bullseye (Debian 11), ideally under /var.
OK. Will do like this
Regards
--
Mathieu
More information about the Pkg-samba-maint
mailing list