Michael Biebl: > Somehow this feels like it should be solved within apparmor itself by > resolving symlinks.
Thanks for thinking about it. Perhaps I've misunderstood what you mean, so here's my take on it. We need this patch precisely because AppArmor resolves symlinks: when Evince runs /bin/gzip, that's effectively a symlink to /usr/bin/gzip on a merged-/usr system, the path AppArmor takes into account is /usr/bin/gzip. Cheers, -- intrigeri
