Control: tag -1 + moreinfo Hi,
Mikhail Morfikov (2020-07-20): > currently when the apparmor-profiles package is installed, it installs several > apparmor profile files. In this way users can have all or none of the profiles > installed in their systems. Sometimes a user wants only a specific profile (or > profiles) installed and doesn't really want the other profiles to be installed > as well because: > - he doesn't need the other profiles, > - he has his own alternative profiles, which differ in rule sets, > - the other profiles simply cause some issues with applications they confine. > What do you think about another approach, which is to create separate packages > containing individual apparmor profiles? For instance, there's the > usr.sbin.dnsmasq file which is related to the dnsmasq package. In this case > there could be a package named dnsmasq-apparmor-profile which would include > the > usr.sbin.dnsmasq file. If a user wanted to install dnsmasq and also wanted it > to be confined by the default apparmor profile provided by Debian, he could > also install dnsmasq-apparmor-profile, which wouldn't affect any other app > functionality. The profiles shipped by the apparmor-profiles package are installed in complain mode. Then the user may choose to enforce the profiles they need. To me, it seems to already provide the kind of flexibility you're wishing for, with a much lower overhead on the package maintenance side. What did I miss? Apart of this, the way the Debian archive works, having many tiny packages is problematic, so I don't think your proposal would be acceptable by the project. I'm not closing this bug report just yet as I'd like to first better understand what the current setup is lacking for you. Cheers!
