[Apparmor-dev] Packaging policy?
Christian Boltz
apparmor at cboltz.de
Sun Jun 17 08:39:46 MDT 2007
Hello,
several applications now contain the apparmor profiles in their package
instead of having it in the apparmor-profiles package.
I found the following on opensuse-commit now: [1]
Changelog:
+- add apparmor profile, active in "complain" mode once installed.
+ Use logprof to check for needed adjustments. Use "enforce
+ /usr/sbin/exim" to put the profile into effect.
The profile is installed to:
+install [...] $RPM_BUILD_ROOT/etc/apparmor.d/usr.sbin.exim
I think this method is *not* a good idea because
- people will think the application is protected by default (because
there is a profile), but it isn't because the profile is in complain
mode
- exactly those people might wonder why the audit.log is growing that
much ;-)
IMHO no profile should be shipped in complain mode. Instead,
incomplete/alpha/whatever profiles (aka "profiles that should not be
enforced by default) should be installed to
/etc/apparmor/profiles/extras/
Before I open a bugreport:
- Do you agree with the above?
- Is there a policy about this I could add as pointer?
Regards,
Christian Boltz
[1] Well, actually the commit was in may, but I have some thousand mails
backlog :-(
--
In C we had to code our own bugs. In C++ we can inherit them.
[Prof. Gerald Karam]
More information about the Apparmor-dev
mailing list