On 2017-12-16 08:37 AM, Cédric Dufour - Idiap Research Institute wrote: > On 16/12/17 10:02, Carsten Schoenert wrote: >> There is the AppArmor profile not re-enable? What let you came to that >> conclusion? As written before two commands are needed. >> >> $ sudo rm /etc/apparmor.d/disable/profile.name >> $ sudo apparmor_parser -r /etc/apparmor.d/profile.name > > It does work. > Until the next update, where /etc/apparmor.d/disable/profile.name will > re-appear > (a deleted file in /etc in not considered a modified file by dpkg; hence > the file will be re-installed from the package and AppArmor disabled > again; that's what I tried to demonstrate with 'apt-get reinstall > thunderbird')
Packages shipping with a disabled profile need some special handling
during updates to no re-disable the profile for those who opt'ed in to
enable it.
Firefox in Ubuntu is one such package and it has this .postinst:
APP_PROFILE="/etc/apparmor.d/usr.bin.$MOZ_PKG_NAME"
[...]
# Reload AppArmor profile
DISABLE_APP_PROFILE="/etc/apparmor.d/disable/usr.bin.$MOZ_PKG_NAME"
if [ ! -f "$DISABLE_APP_PROFILE" ] && aa-status --enabled 2>/dev/null;
then
apparmor_parser -r -T -W "$APP_PROFILE" || true
fi
I don't know if TB has such logic or not.
Regards,
Simon
signature.asc
Description: OpenPGP digital signature
