On 24/10/2020 14.42, intrigeri wrote: > Control: tag -1 + moreinfo > > Hi, > > Mikhail Morfikov (2020-07-20): >> currently when the apparmor-profiles package is installed, it installs >> several >> apparmor profile files. In this way users can have all or none of the >> profiles >> installed in their systems. Sometimes a user wants only a specific profile >> (or >> profiles) installed and doesn't really want the other profiles to be >> installed >> as well because: >> - he doesn't need the other profiles, >> - he has his own alternative profiles, which differ in rule sets, >> - the other profiles simply cause some issues with applications they >> confine. > >> What do you think about another approach, which is to create separate >> packages >> containing individual apparmor profiles? For instance, there's the >> usr.sbin.dnsmasq file which is related to the dnsmasq package. In this case >> there could be a package named dnsmasq-apparmor-profile which would include >> the >> usr.sbin.dnsmasq file. If a user wanted to install dnsmasq and also wanted it >> to be confined by the default apparmor profile provided by Debian, he could >> also install dnsmasq-apparmor-profile, which wouldn't affect any other app >> functionality. > > The profiles shipped by the apparmor-profiles package are installed in > complain mode. Then the user may choose to enforce the profiles they > need. To me, it seems to already provide the kind of flexibility > you're wishing for, with a much lower overhead on the package > maintenance side. What did I miss? > > Apart of this, the way the Debian archive works, having many tiny > packages is problematic, so I don't think your proposal would be > acceptable by the project. I'm not closing this bug report just yet as > I'd like to first better understand what the current setup is lacking > for you. > > Cheers! >
There are three ways of installing apparmor profiles in debian: - an app's package contains some apparmor profile - some packages contain lots of apparmor profiles - there are a few packages which contain an app's apparmor profile itself, for instance fwknop-apparmor-profile So it's a mess. It would be better to have just one way of installing official debian apparmor profiles for apps, i.e. the 3rd option above. Of course a user doesn't have to install the big package with all the profiles, but when I see bunch of apparmor profiles that I don't really need, I simply skip the package or extract the needed profile and forget about the package. So basically having multiple profiles in one package makes people less likely to test any of the profiles included in it and hence less likely to report any issues. It would be nice to have profiles in individual packages, so users could decide what they want to install. What if I had my own profile that would match to a specific one that is provided by apparmor-profiles? What would I have to do in order to install/upgrade the rest of the profiles from the package and leave my profile intact? It's very inconvenient and problematic for the end user to handle such packages. BTW: Why having many small packages is a problem for debian archive?
OpenPGP_0x32D9CB634796CCA1.asc
Description: application/pgp-keys
OpenPGP_signature
Description: OpenPGP digital signature
