[Apparmor-general] seperate the abstractions and
program-chunks from the profile package ?
Mathias Gug
mathiaz at ubuntu.com
Thu Aug 2 21:03:57 MDT 2007
Hi all,
On Thu, Aug 02, 2007 at 03:20:26PM -0700, John Johansen wrote:
> > this is no problem, but if novell provides an update, then the removed
> > profiles were there and make some application doesn't work as expected
> > and if you have to manage about 100 servers; a nightmare for me.
> >
> yes this is a real problem and we are currently kicking around a proposal
> that changes where profiles are installed, so that rpm managed profiles
> are not directly dropped into /etc/apparmor.d/
>
In Ubuntu, there is the possibility to 'disable' a profile, which means
not loading the profile even if the profile is in /etc/apparmor.d/.
There is a subdirectory disable/ in /etc/apparmor.d/ which has links
pointing to disabled profile in /etc/apparmor.d/. The init script and
SubDomain.pm have been modified to skip profiles that have a link in
/etc/apparmor.d/disable/. That way profiles are kept in /etc/apparmor.d/
and there isn't any problem when upgrading.
--
Mathias
More information about the Apparmor-general
mailing list