I've given this some thought:
While firecfg handles symlinks well and per package hacks to create
symlinks are no longer necessary, it still needs a way to make it
seamless and automatically protect users. There is already precedent in
Debian for automatic protection should a security application be
installed:
"Please automatically enable AppArmor when the userspace tools are
installed"
https://bugs.debian.org/702030
The only clean way to implement this is a dpkg trigger. Run firecfg - if
some option is set in a .d config filder - each time something is
installed to /usr/bin/, /sbin or perhaps best even / (therefore running
it every time during apt-get). Otherwise there will always be
inconsistencies about whether an installed firejail, and profile, and a
"to be contained" binary is installed at the same time will result in
using firejail. A state where sometimes things work for some users but
not for all is quite horrible.
Manually running firecfg also does not work for software that has
profiles but where the package gets installed by the user after firejail
was installed. I speculate for reasons of cleanness, it does not be
create symlinks for binaries that are not yet installed in preparation
that it may one day be installed.
