[Apparmor-dev] Packaging policy?
Crispin Cowan
crispin at novell.com
Mon Jun 18 01:36:52 MDT 2007
Christian Boltz wrote:
> Hello,
>
> several applications now contain the apparmor profiles in their package
> instead of having it in the apparmor-profiles package.
>
Yes, we are on a gradual transition moving from one big RPM of profiles
to having the profiles for each application packaged with the profile.
> I found the following on opensuse-commit now: [1]
>
> Changelog:
> +- add apparmor profile, active in "complain" mode once installed.
> + Use logprof to check for needed adjustments. Use "enforce
> + /usr/sbin/exim" to put the profile into effect.
>
> The profile is installed to:
> +install [...] $RPM_BUILD_ROOT/etc/apparmor.d/usr.sbin.exim
>
> I think this method is *not* a good idea because
> - people will think the application is protected by default (because
> there is a profile), but it isn't because the profile is in complain
> mode
> - exactly those people might wonder why the audit.log is growing that
> much ;-)
>
> IMHO no profile should be shipped in complain mode. Instead,
> incomplete/alpha/whatever profiles (aka "profiles that should not be
> enforced by default) should be installed to
> /etc/apparmor/profiles/extras/
>
> Before I open a bugreport:
> - Do you agree with the above?
> - Is there a policy about this I could add as pointer?
>
I agree that it is not good to ship a COMPLAIN profile, for precisely
the reasons you cite.
But I don't know the maintenance history of this profile; you say it was
checked in in may, it may have been checked in in COMPLAIN mode as an
interim development step. So yes, ask about it, but gently :)
Crispin
--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/
Director of Software Engineering http://novell.com
AppArmor Chat: irc.oftc.net/#apparmor
More information about the Apparmor-dev
mailing list