Bug#959915: [pkg-apparmor] Bug#959915: redundant freshclam profile since it's shipped in-package
Hello, Am Montag, 25. Mai 2020, 11:22:01 CEST schrieb intrigeri: > FTR, here's the profile shipped in the clamav-freshclam package: > https://salsa.debian.org/clamav-team/clamav/-/blob/unstable/debian/usr > .bin.freshclam It has been updated a few times in the last few years. > > And here's the upstream one from the AppArmor project: > https://gitlab.com/apparmor/apparmor/-/blob/master/profiles/apparmor/p > rofiles/extras/usr.bin.freshclam It has been updated once in the last > 10 years. ... and it works on my openSUSE servers (and nobody reported issues from other distros), which means there was no reason for additional updates ;-) > I would love to see cross-distro collaboration on this profile, but > our current infrastructure & processes are not ready for that yet, > and I lack time/energy to push this forward myself. I compared both profiles, and to cover both Debian and openSUSE, you'd need to add the following lines to the Debian profile: #include# rule exists since the original # profile version in 2006, no idea if it's really needed # openSUSE configfile paths /etc/clamd.conf r, /etc/freshclam.conf r, I'd recommend to change the pidfile rule to have the owner restriction if possible: #/{,var/}run/clamav/freshclam.pid w, # from Debian profile owner /{,var/}run/clamav/freshclam.pid w, # upstream profiles/extra I also wonder about ~/.clamtk/db/ and ~/.klamav/database/ (which I obviously don't need for server usage) - but I'm sure Jamie had good reasons to allow that ;-) If you open a merge request upstream, I'll happily review it ;-) Feel free to commit the Debian profile + the additional rules listed above - that's probably easier than integrating the profiles the other way round. Regards, Christian Boltz -- >> emoenke@ftp4:4 /mirr/bin > du -s /pub/opensuse/distribution/* > Using `du -sh` might be more readable. ;-) Not for me - only for so called "humans". [> houghi and Eberhard Moenkeberg in opensuse] signature.asc Description: This is a digitally signed message part.
Bug#959915: redundant freshclam profile since it's shipped in-package
Control: tag -1 + pending Hi John & others, John Scott (2020-05-06): > An experimental freshclam profile is provided at > /usr/share/apparmor/extra-profiles/usr.bin.freshclam, but clamav-freshclam > provides its own more recent one in enforce mode at /etc/aa.d/ and has been > for a while. Indeed, good catch! FTR, here's the profile shipped in the clamav-freshclam package: https://salsa.debian.org/clamav-team/clamav/-/blob/unstable/debian/usr.bin.freshclam It has been updated a few times in the last few years. And here's the upstream one from the AppArmor project: https://gitlab.com/apparmor/apparmor/-/blob/master/profiles/apparmor/profiles/extras/usr.bin.freshclam It has been updated once in the last 10 years. I would love to see cross-distro collaboration on this profile, but our current infrastructure & processes are not ready for that yet, and I lack time/energy to push this forward myself. So for the time being: > Please remove this one. This makes sense to me: /usr/share/apparmor/extra-profiles/usr.bin.freshclam gives no benefit to Debian users and instead it can cause confusion. The next upload won't include /usr/share/apparmor/extra-profiles/usr.bin.freshclam Cheers!
Bug#959915: redundant freshclam profile since it's shipped in-package
Package: apparmor-profiles-extra Version: 1.27 Severity: minor -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, An experimental freshclam profile is provided at /usr/share/apparmor/extra-profiles/usr.bin.freshclam, but clamav-freshclam provides its own more recent one in enforce mode at /etc/aa.d/ and has been for a while. Please remove this one. - -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (500, 'testing'), (2, 'unstable'), (1, 'testing-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.6.0-1-amd64 (SMP w/2 CPU cores) Kernel taint flags: TAINT_FIRMWARE_WORKAROUND Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages apparmor-profiles-extra depends on: ii apparmor 2.13.4-1+b1 apparmor-profiles-extra recommends no packages. apparmor-profiles-extra suggests no packages. - -- no debconf information -BEGIN PGP SIGNATURE- iHUEARYIAB0WIQT287WtmxUhmhucNnhyvHFIwKstpwUCXrNEiAAKCRByvHFIwKst pz8jAP9hDm6l+bk4I4OKB2IyWlh0aL2ZPtH6E9fm+Pw269OCwAEAzzsqu3YuGsgw wETgjZAg6N6AMdBsOcjxN4s5gmWHOws= =SQtB -END PGP SIGNATURE-