[Apparmor-general] seperate the abstractions and program-chunks
from the profile package ?
John Johansen
jjohansen at suse.de
Thu Aug 2 16:20:26 MDT 2007
On Fri, Aug 03, 2007 at 12:07:04AM +0200, Dieter Bloms wrote:
> Hi,
>
> On Thu, Aug 02, John Johansen wrote:
>
> > splitting out profiles, and making it easier to disable profile you
> > don't want does make sense and we are moving in that direction.
>
> nice to hear.
>
> > For sles9 the best I can currently recommend is for applications you don't
> > want confined move their associated profiles out of /etc/apparmor.d/
>
> this is no problem, but if novell provides an update, then the removed
> profiles were there and make some application doesn't work as expected
> and if you have to manage about 100 servers; a nightmare for me.
>
yes this is a real problem and we are currently kicking around a proposal
that changes where profiles are installed, so that rpm managed profiles
are not directly dropped into /etc/apparmor.d/
I expect we will push the proposal out to apparmor-dev soon
> At the moment I replace those profile files with empty ones and hope the
> update will not overwrite my empty profiles.
This should work for now
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-general/attachments/20070802/8344e982/attachment.pgp
More information about the Apparmor-general
mailing list