[arch-general] AppArmor support

Geo Kozey geokozey at mailfence.com
Sat Sep 22 16:38:14 UTC 2018 

> ----------------------------------------
> From: Geo Kozey via arch-general <arch-general at archlinux.org>
> Sent: Sat Sep 22 18:23:58 CEST 2018
> To: David Runge <dave at sleepmap.de>
> Cc: Geo Kozey <geokozey at mailfence.com>, General Discussion about Arch Linux <arch-general at archlinux.org>
> Subject: Re: [arch-general] AppArmor support
> 
> 
> > ----------------------------------------
> > From: David Runge <dave at sleepmap.de>
> > Sent: Sat Sep 22 17:43:51 CEST 2018
> > To: Geo Kozey <geokozey at mailfence.com>
> > Cc: General Discussion about Arch Linux <arch-general at archlinux.org>
> > Subject: Re: [arch-general] AppArmor support
> > 
> > 
> > Hi Geo,
> > 
> > On 2018-09-22 15:13:20 (+0200), Geo Kozey wrote:
> > > After [0] sed rules are applied to all apparmor config files, not just
> > > profiles which results in unwanted errors:
> > > 
> > > configparser.DuplicateOptionError: While reading from
> > > '/etc/apparmor/logprof.conf' [line 47]: option '/usr/bin/bash' in
> > > section 'qualifiers' already exists
> > > 
> > > You should limit it to profiles only as it was before.
> > > 
> > > [0] https://git.archlinux.org/svntogit/community.git/commit/trunk?h=packages/apparmor&id=4dc153bf8e26239a55409ac5d1994f6575e057c5
> > Thanks for the info!
> > That was indeed a problem, but not because of the profile modifications.
> > I did way too broad replacements in logprof.conf, that led to the
> > duplicate entries you are experiencing (as there are entries for /bin
> > and /usr/bin for most binaries).
> > 
> > I have now fixed this in 2.13.0-6 (by carefully only replacing the use
> > of sbin where needed). Please let me know, if this works as intended for
> > you!
> > 
> > Best,
> > David
> > 
> > -- 
> 
> It's almost there ;)
> 
> '/usr/bin/subdomain_parser' under [qualifiers] is still duplicated.
> 
> I'm not sure if 'apparmor_parser' and 'subdomain_parser' under [settings]
> have to be modified. IMO they should work as symlinks too.
> 
> BTW: users transition from AUR may be complicated as now apparmor
> package will contain files available in apparmor-* split packages before.
> Maybe you have to add 'replaces=' for split packages.
> 
> Yours sincerely
> 
> G. K.

Also there aren't such things like:

/usr/bin/subdomain_parser
/usr/bin/logprof
/usr/bin/genprof

in Arch anyway so creating them isn't necessary. Perhaps if there is anything
left to change in [qualifiers] section, it can be upstreamed as well.

Yours sincerely

G. K.

More information about the arch-general mailing list