---------------------------------------- From: David Runge <dave@sleepmap.de> Sent: Sat Sep 22 21:43:20 CEST 2018 To: Geo Kozey <geokozey@mailfence.com> Cc: General Discussion about Arch Linux <arch-general@archlinux.org> Subject: Re: [arch-general] AppArmor support
On 2018-09-22 18:38:14 (+0200), Geo Kozey wrote:
It's almost there ;)
'/usr/bin/subdomain_parser' under [qualifiers] is still duplicated. Ah, the match was not good enough yet. Now it should be!
I'm not sure if 'apparmor_parser' and 'subdomain_parser' under [settings] have to be modified. IMO they should work as symlinks too. It's easier for replacing the sbin stuff atm.
BTW: users transition from AUR may be complicated as now apparmor package will contain files available in apparmor-* split packages before. Maybe you have to add 'replaces=' for split packages. This is already the case.
Also there aren't such things like: Yeah, I figured.
/usr/bin/subdomain_parser This one is utterly bizarre. I have no clue where this is supposed to be coming from, because it's not included in the sources, but mentioned in regression and stress tests and there's a config and man page for it! oO
This is legacy cruft. Perhaps it exist on some ancient distributions. We shouldn't care of it.
/usr/bin/logprof /usr/bin/genprof These seem to be around as /usr/bin/aa-{logprof,genprof} and are installed this way as defined in source code. Very... odd. I'll change the configuration to reflect that for now...
Same as above. As you can see no other aa-* tools are whitelisted this way. We should ignore this.
in Arch anyway so creating them isn't necessary. Perhaps if there is anything left to change in [qualifiers] section, it can be upstreamed as well. Yeah, the configuration needs to be extended to also cover /usr/bin (for our case). I'm already compiling a list of things that need to be taken care of upstream, to make packaging less painful.
I looked at the diff between our logprof.conf and upstream, here are my thoughts: /var/log/syslog.log and /var/log/syslog.log don't exist in Arch as logs are handled by journald. There is syslog-ng package in extra but according to its docs it uses /var/log/syslog and /var/log/messages so we're actually breaking this instead of fixing. As mentioned earlier /sbin/apparmor_parser should work through symlink as well. Also as mentioned earlier subdomain_parser, logprof, genprof are legacy cruft and can be ignored. cardmgr is something pcmcia related. IIRC pcmcia tools were dropped from Arch some time ago. I think no repo or AUR package provides cardmgr. I checked that it don't even exist in debian stable. It can be ignored. killall5 - again it doesn't exist in Arch. There are no other differences so in conclusion I think it's safe for us to leave logprof.conf untouched.
Thanks for all the feedback!
Best, David
--
I also recommend to backport upstram 'binmerge' patch rather than using custom sed rules as it will further reduce our diff and bring us as close to upstream as we can get. I prepared PKGBUILD in case you're interested BTW: every interaction with PKGBUILD spits: find: ‘etc/apparmor.d/’: No such file or directory which probably come from: https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packa... I don't know if it can be fixed somehow. Yours sincerely G. K.