[arch-general] AppArmor support

Geo Kozey geokozey at mailfence.com
Sun Sep 23 09:56:11 UTC 2018


> ----------------------------------------
> From: David Runge <dave at sleepmap.de>
> Sent: Sat Sep 22 21:43:20 CEST 2018
> To: Geo Kozey <geokozey at mailfence.com>
> Cc: General Discussion about Arch Linux <arch-general at archlinux.org>
> Subject: Re: [arch-general] AppArmor support
> 
> 
> On 2018-09-22 18:38:14 (+0200), Geo Kozey wrote:
> > > It's almost there ;)
> > > 
> > > '/usr/bin/subdomain_parser' under [qualifiers] is still duplicated.
> Ah, the match was not good enough yet. Now it should be!
> 
> > > I'm not sure if 'apparmor_parser' and 'subdomain_parser' under [settings]
> > > have to be modified. IMO they should work as symlinks too.
> It's easier for replacing the sbin stuff atm.
> 
> > > BTW: users transition from AUR may be complicated as now apparmor
> > > package will contain files available in apparmor-* split packages before.
> > > Maybe you have to add 'replaces=' for split packages.
> This is already the case.
> 
> > Also there aren't such things like:
> Yeah, I figured.
> 
> > /usr/bin/subdomain_parser
> This one is utterly bizarre. I have no clue where this is supposed to be
> coming from, because it's not included in the sources, but mentioned in
> regression and stress tests and there's a config and man page for it! oO
> 

This is legacy cruft. Perhaps it exist on some ancient distributions.
We shouldn't care of it.

> > /usr/bin/logprof
> > /usr/bin/genprof
> These seem to be around as /usr/bin/aa-{logprof,genprof} and are
> installed this way as defined in source code.
> Very... odd.
> I'll change the configuration to reflect that for now...
> 

Same as above. As you can see no other aa-* tools are whitelisted this way.
We should ignore this.

> > in Arch anyway so creating them isn't necessary. Perhaps if there is anything
> > left to change in [qualifiers] section, it can be upstreamed as well.
> Yeah, the configuration needs to be extended to also cover /usr/bin (for
> our case).
> I'm already compiling a list of things that need to be taken care of
> upstream, to make packaging less painful.
> 

I looked at the diff between our logprof.conf and upstream, here are
my thoughts:

/var/log/syslog.log and /var/log/syslog.log don't exist in Arch as logs
are handled by journald. There is syslog-ng package in extra but
according to its docs it uses /var/log/syslog and /var/log/messages so
we're actually breaking this instead of fixing.

As mentioned earlier /sbin/apparmor_parser should work through
symlink as well.

Also as mentioned earlier subdomain_parser, logprof, genprof are
legacy cruft and can be ignored.

cardmgr is something pcmcia related. IIRC pcmcia tools were dropped
from Arch some time ago. I think no repo or AUR package provides
cardmgr. I checked that it don't even exist in debian stable. It can be
ignored.

killall5 - again it doesn't exist in Arch.

There are no other differences so in conclusion I think it's safe for us to
leave logprof.conf untouched.

> Thanks for all the feedback!
> 
> Best,
> David
> 
> -- 

I also recommend to backport upstram 'binmerge' patch rather than using
custom sed rules as it will further reduce our diff and bring us as close to
upstream as we can get. I prepared PKGBUILD in case you're interested

BTW: every interaction with PKGBUILD spits: 

find: ‘etc/apparmor.d/’: No such file or directory

which probably come from:

https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packages/apparmor#n104

I don't know if it can be fixed somehow.

Yours sincerely

G. K.


More information about the arch-general mailing list