[Apparmor-dev] Re: Disable profiles with dpkg-old,
dpkg-new extension and linked from disable dir.
John Johansen
jjohansen at suse.de
Mon Aug 20 08:52:49 MDT 2007
On Mon, Aug 20, 2007 at 10:26:15AM -0400, Mathias Gug wrote:
> Hi,
>
> On Sat, Aug 18, 2007 at 01:45:41PM +0200, Christian Boltz wrote:
> > Hmm, another idea: what about flags=disabled?
> I'm not a big fan of having status flags embedded in the profile file.
> You tend to get conflicts when upgrading the package. The rules and the
> status of the profile are two different type of information and
> shouldn't be kept in the same place.
>
yep. Having the flags embedded in the profile file can cause enough
problems that it isn't worth it. It also doesn't let you see
which profiles are enabled by just looking in a directory.
> > BTW: I don't see a real problem with RPM, it recognizes modified
> > profiles as changed and doesn't touch them. Instead, it puts the
> > profile from the package in a .rpmnew file which doesn't hurt.
> If you remove a profile file from /etc/apparmor.d/ (so that it doesn't
> get loaded at boot), will an rpm upgrade reinstall the profile ?
>
This can be a problem with rpm and one of the reasons we wanted to
avoid going this route.
There are also other goals, like allowing for multiple repositories/
install sources existing similtaneously. This will allow users
to switch between repositories or even cherry pick specific profiles.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-dev/attachments/20070820/271ba2da/attachment.pgp
More information about the Apparmor-dev
mailing list