On Tue, 2012-02-07 at 16:50 +0100, Christian Boltz wrote:
> Hello,
>
> Am Dienstag, 7. Februar 2012 schrieb Jamie Strandboge:
> > diff -Naurp -x .bzr -x common
> > apparmor-trunk/utils/easyprof/policygroups/opt-application
> > apparmor-trunk-easyprof/utils/easyprof/policygroups/opt-application
> > --- apparmor-trunk/utils/easyprof/policygroups/opt-application 1969-12-31
> > 18:00:00.000000000 -0600
> > +++ apparmor-trunk-easyprof/utils/easyprof/policygroups/opt-application
> > 2012-02-06 16:39:38.000000000 -0600
> > @@ -0,0 +1,3 @@
> > +# Policy group for applications installed in /opt
> > +/opt/@{APPNAME}/ r,
> > +/opt/@{APPNAME}/** mrlk,
>
> Is the "l" permission really needed for /opt?
Maybe? I thought it conceivable that applications might have their own
tmp directory in /opt which is why I added 'l' (ie, we do that in the
user-tmp abstraction). Of course, that falls apart because I forgot 'w'.
Maybe I'll drop 'l' for now and add 'l' if we need 'w' later on. It is
not known if this is strictly required, but the point of this
policy-group is to make sure that applications can do mostly whatever
they need to in /opt/@{APPNAME}/ (excepting execs). We'll know more when
people start trying to use the aa-easyprof.
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
