Hello, Am Dienstag, 8. November 2016, 15:06:50 CET schrieb intrigeri: > Christian: did OpenSUSE go through something like usrmerge? If you > did, how did you handle it?
openSUSE moved lots of binaries, but not all from /{s,}bin/ to /usr/{s,}bin/ > Besides, they > significantly increase policy compilation time. I never benchmarked that - do you have some numbers? > But I recommend against using alias rules by default, system-wide, in > a distribution like Debian: they cause too much action at a distance > and subtle breakage, which will make it hard for users to debug issues > themselves, and for us to understand their bug reports. Right. Shipping aliases _will_ confuse users and make things harder. > So the only option I can think of is going through all profiles we > ship, and making sure that every instance of /bin becomes /{usr/,}bin. That's exactly what I did - for example, the /bin/ping profile became /{usr/,}bin/ping. These changes are all in the upstream bzr since a long time. To keep the profile names readable, I'd recommend to use something like profile ping /{usr/,}bin/ping (and yes, exactly for the ping example, I didn't do that ;-) > This seems doable since we ship relatively few profiles, spread over > a relatively small number of packages, and they contain few /bin/* > permissions. A quick look points to a sid system gives me these > packages needing such changes: evince, apparmor-profiles-extra, > libvirt-daemon-system, cups-daemon, apparmor-profiles, apparmor, > telepathy-mission-control-5 (non-exhaustive list). Thankfully, this > will benefit all other distros as well, and could even been done > collaboratively if anyone else than Debian is interested :) That reminds me of the profile repo which would make sharing profiles and cross-contributions much easier ;-) I know everybody is always busy etc., so maybe we can start with a small step like a place where I can find all profiles Debian ships at one location? For openSUSE, I have the apparmor-profiles-collector package at http://download.opensuse.org/repositories/home:/cboltz/openSUSE_Factory/noarch/ [1] You can unpack the RPM package with rpm2cpio $file | cpio -dium or browse it using mc ;-) Currently, I simply copy the profiles and record from which package they come. If you are interested in my (trivial) script doing this, have a look at https://build.opensuse.org/package/show/home:cboltz/apparmor-profile-collector I'm sure it would be trivial to get "Debian" and "openSUSE" directories in the apparmor-profiles git repo. Even without all the metadata etc. we discussed, this would be much more useful than the current state. Regards, Christian Boltz [1] it will probably have to move to a separate repo to avoid that it collects the profiles from the latest apparmor-profiles package in this repo instead of the apparmor-profiles used in each distribution, but this "only" affects profiles from AppArmor bzr. -- Life used to be simpler when apple and blackberry were just fruits! [from https://bugzilla.novell.com/quips.cgi]
signature.asc
Description: This is a digitally signed message part.