Le dim. 24 févr. 2019 à 23:33, Christian Boltz <debian-b...@cboltz.de> a écrit : > > Hello,
Hello, > I agree that local/ isn't the perfect place. That said... > > Am Sonntag, 24. Februar 2019, 20:42:55 CET schrieb Mathieu Parent: > > Le dimanche 24 février 2019, intrigeri <intrig...@debian.org> a écrit: > > > intrigeri: > > >> So I'll add this: > > >> #include if exists /etc/apparmor.d/samba/smbd-shares > > > > > > I mean: > > > #include if exists <samba/smbd-shares> > > > > I'm OK with this path and understand your rationale. However, I try to > > avoid distribution divergence. > > We had a similar discussion upstream quite a while (years?) ago, but > didn't reach an agreement on which path to use. > > I'm not sure if I like your samba/... path - it's not bad on itsself, > but it opens a can of worms. Let's assume for a moment that more > programs auto-generate profile sniplets. Do we really want to have one > directory for each of them (always holding a single file)? I'm afraid > that might produce an interesting forest in /etc/apparmor.d/... > > Counter-proposal: What about /etc/apparmor.d/autogenerated/$whatever ? > That directory could be used by multiple programs. OK for me. Intrigeri? > > Christian: any chance that the > > opensuse path changes too? > > We'll have to migrate existing users (and therefore probably have to > support both paths in the samba profile for a while). > That makes things more interesting[tm], but won't stop me from keeping > the path in sync ;-) > > > Another note: update-apparmor-samba-profile does > > test -e "$profilesniplet" || silentexit "apparmor profile snippet > not available" > > which means you _have to_ ship a (possibly empty) sniplet to ensure the > script works. > > The alternative would be to change that test to something like > > test -d "/etc/apparmor.d/autogenerated" || silentexit "directory for > autogenerated profile sniplets doesn't exist" I prefer testing the parent directory. > > Regards, > > Christian Boltz Regards -- Mathieu
