Package: apparmor Version: 3.0.1-3 Hi, a few packages have their own abstractions which in turn are reused in other profiles. An example is libvirt which has : /etc/apparmor.d/abstractions/libvirt-qemu
This abstraction is then used in the per VM-guest rules like: $ cat /etc/apparmor.d/libvirt/libvirt-01d4cdfe-259c-4748-abcf-fd1fa96e52e1 ... #include <abstractions/libvirt-qemu> ... It turns out profiles for VMs are rather hard as there are so many very different use cases. It is always a balance between too open or too restrictive. Therefore it is rather common for users to want to add local overrides on their system. Those can be done "per guest" in the files like "/etc/apparmor.d/libvirt/libvirt-01d4cdfe-259c-4748-abcf-fd1fa96e52e1" mentioned above. But chances are quite high you have some things you want to allow in general for all your guests. To do so one can edit "/etc/apparmor.d/abstractions/libvirt-qemu", but as we all know that means either conffile prompts or being clobbered on package upgrades. The usual way out of this are local includes and dh-apparmor is helpful in deploying them and writing the empty skeleton file as needed. But in the case above what one needs is not a local include for a profile like /etc/apparmor.d/<profile> but instead a local include for an abstraction. In apparmor itself all is fine, if /etc/apparmor.d/abstractions/libvirt-qemu does "#include <local/abstractions/libvirt-qemu>" and you have a file in /etc/apparmor.d/local/abstractions/libvirt-qemu that works. But dh-apparmor as of today does break if you pass it "abstractions/libvirt-qemu" to take care for. Therefore - up to now - we've handled that in libvirt maintainer scripts (in Ubuntu) and are starting to do so in Debian as well. But it would be nice and useful if we could at some point use dh-apparmor for these just the same as one would do with any other local include. -- Christian Ehrhardt Staff Engineer, Ubuntu Server Canonical Ltd
