Hi, On Tue, Dec 26, 2017 at 02:47:20PM +0100, Carsten Schoenert wrote: > Hi again, > > On Tue, Dec 26, 2017 at 12:34:28PM +0100, Guido Günther wrote: > > > > > > Update from 52.4.0 with already disabled AA profile: > > > The new version holds the disabled AA profile, I just need to do a 'ln > > > -sf' to prevent a exit code 1 if the symlink is already existing. > > > > Ah, good catch. I'd rather do a > > > > [ -f /etc/apparmor.d/disable/usr.bin.thunderbird ] || ln -s > > /etc/apparmor.d/usr.bin.thunderbird > > /etc/apparmor.d/disable/usr.bin.thunderbird > > > > in this case since the user might have the symlink point somewhere else > > for whatever reason. I think we don't want to overwrite that if he made > > a deliberate choice. > > yes, agreed. Will adopt this. > > > > Anything I'm still missing? > > > > Did you test reinstalling 52.5.2 on top of 52.5.2 with removed link. It > > shouldn't be recreated in this case (and if it works for this version it > > will work for all later versions). > > Yes, but I forgot to write this down here. > Both possible situations worked like wanted, updating 52.5.2-1 to -2 > holds the disabled profile in case the user didn't made some changes on > the default installation before. > The other case is also working, a re-enabled profile stays enabled after > the update to -2. > > I will prepare and do a upload in the next hours.
Great. I'll cherry-pick the fix on top of the version for wheezy-security and upload later today so you can drop '-sa'. Cheers, -- Guido
