On Thu, Jan 16, 2014 at 11:11:22AM +0100, Didier 'OdyX' Raboud wrote: > Le mercredi, 15 janvier 2014, 11.14:07 Seth Arnold a écrit : > > On Wed, Jan 15, 2014 at 07:30:52PM +0100, intrigeri wrote: > > > From: Didier Raboud <o...@debian.org> > > > apparmor could have an 'interest /etc/apparmor.d/' triggers file and > > > its postinst would then do the machinery to create (or remove) the > > > /etc/apparmor.d/local/* files accordingly. > > > > This does sound nice, but the next part worries me.. > > > > > This could also have the side benefit of only running > > > apparmor_parser once for all files installed at the same time. > > > > When would this single apparmor_parser run happen? It needs to happen > > before daemons are started or restarted in their postinst scripts, > > otherwise the AppArmor policy won't be enforced. > > As far as I understand deb-triggers' manpage, this can be enforced using > 'activate /etc/apparmor.d/', which will then make the trigger run "at > the start of the configure operation", which ensures exactly what you > want.
Per-policy reloads must happen before a daemon restarts, so they cannot be triggers. All-policy reloads should be avoided entirely, so they shouldn't be triggers either. :) -Kees -- Kees Cook -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
