[config-package-dev] config-package-dev clashes with AppArmor profiles

Geoffrey Thomas geofft at MIT.EDU
Tue Jul 30 21:31:07 EDT 2013


Hi Adrelanos,

Debathena never found a great solution to this. You might want to look at 
our Trac ticket:
https://debathena.mit.edu/trac/ticket/166

We ended up writing a package "debathena-apparmor-config" to divert the 
various AppArmor rules, abstractions, etc. files and add permissions for 
the things that we, anywhere in Debathena, displace:
https://debathena.mit.edu/trac/browser/trunk/debathena/config/apparmor-config

This isn't a great solution, because it requires all of our config 
packages (that interact with AppArmor profiles) to depend on a single 
debathena-apparmor-config package. It moves the complexity to a common 
place instead of duplicating patterns, but a more ideal approach would 
involve having us somehow note that both e.g. CUPS and 
debathena-kerberos-config are installed, and adjust CUPS's profile at that 
point. We had some issues with debathena-apparmor-config shipping 
transformed profiles that didn't necessarily exist (in particular, those 
profiles #included other files that didn't exist):
https://debathena.mit.edu/trac/ticket/737
Depending on those profiles is also a poor solution, since it means that 
any of our config packages now pull in a lot of unrelated software.

Ideally we'd only mess with AppArmor profiles if both the profile _and_ 
the relevant config package were installed, but there's no particularly 
good way to do that. There are a couple of thoughts on workarounds at
https://debathena.mit.edu/trac/ticket/942

Hope this helps, and if you think of any particularly good solutions let 
us know. :-)

-- 
Geoffrey Thomas
geofft at mit.edu

On Mon, 29 Jul 2013, adrelanos wrote:

> Hi!
>
> I think I found an interesting problem.
>
> /etc/resolv.conf is a symlink to /etc/resolv.conf.whonix
>
> And the AppArmor only allows read access to /etc/resolv.conf, not
> /etc/resolv.conf.whonix.
>
> Could that be fixed in a generic way?
>
> Cheers,
> adrelanos
> _______________________________________________
> config-package-dev mailing list
> config-package-dev at mit.edu
> http://mailman.mit.edu/mailman/listinfo/config-package-dev
>


More information about the config-package-dev mailing list