>> >> # >> # foo rules >> # >> /usr/bin/foo ix, >> # needed by foo for ... >> /etc/blah r, >> # foo connects to this for ... >> unix ..., >> >> # >> # bar rules >> # >> /usr/bin/bar ix, >> # bar connects to this for ... >> unix ..., >> >> IIUC, the rule templates put the unix rules somewhere else, outside of >> the context of the need for the rule. >> > > No, no. They are just a way to expand a parsers ability to parse an > unknown rule just enough so it can skip it and keep processing the > rules it does know about. > > Think of it as being able to drop a set of rule templates into an > older version apparmor, so it will support newer policy (yes ignoring) > without doing a full SRU, which will still just result in the rule > being dropped unless they are using a newer kernel as well. > > The goal is to make it so you won't have to change your policy or > have multiple versions of policy just because your application is > running on systems with different versions of apparmor. > >
Another way of putting it, is they are NOT policy rules, but a way of extending the parser but updating dropping a text file in. -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
