Re: issue with php5 abstraction in apparmor
> Since we are past beta now, for Lucid we should probably try to just
> make the minimal change required to fix the bug. As such, I think
> adjusting the abstractions to have:
> /usr/lib{64,}/php5/*/*.so mr,
>
> would be the best approach. I'd prefer to use a regex instead of '/*/'
> but since the version seems to be rather free-form, this seems best.
> Opinions?
Mostly API_VERSION was just numbers until lucid version. Now it has +
sign and letters. Maybe quick fix would be *.
--
Regards
Dulmandakh
http://www.dulmandakh.com
http://www.twitter.com/dulmandakh/
--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
Re: issue with php5 abstraction in apparmor
On Tue, 2010-03-16 at 19:02 +0100, Nicolas Barcet wrote:
> I am pasting bellow an answer from John Johansen whom is not subscribed
> to this list.
>
> On 03/14/2010 11:36 AM, DULMANDAKH Sukhbaatar wrote:
> > As new Ubuntu LTS version is approaching I started to think about
> > > migrating my servers to it. To make future migrations smooth I started
> > > playing with Lucid and testing it. As a part of it I'm creating
> > > apparmor profile for php5-cgi. I found apparmor abstraction for php5
> > > useful, but found two problems in it. First was just easy so I fixed
> > > and filed a bug (#538661 )with patch. And last and bigger is path to
> > > php5 extensions.
>
> thanks
>
> > >
> > > php5's abstraction is allowing php5 to load its extensions from
> > > /usr/lib{64,}/php5/{libexec,extensions}/, but php5-* packages in
> > > ubuntu install extensions in /usr/lib/php5/PHP_API_VERSION or
> > > /usr/lib/php5/20090626+lfs in Lucid. so php5 cannot load extensions,
> > >
> > > I was thinking about solutions to it and found three of them. First,
> > > let's change abstraction so php5 can load extenstions from
> > > /usr/lib/php5/**. Secone one is just change path in php5 abstraction
> > > file to include PHP_API_VERSION, and make such change in every
> > > release. Last one is change php5 packaging so it'll install extension
> > > in fixed directory.
> > >
>
> fourth: use a variable to describe extension locations
> - basically the same your second solution, except the change is
> centralized to a variable.
>
> @{PHP_EXTENSIONS}=/usr/lib{64,}/php5/{libexec,extensions}/
> /usr/lib{64,}/PHP_API_VERSION
>
> I know this is already basically centralized in the include but the
> variable would allow it to be used separate from the include too.
> It also allows easy extension of the abstractions by just assigning
> a new value to it.
>
> @{PHP_EXTENSIONS}+=/some/new/path
>
> The variable gives the option of having rules that reference
> PHP_EXTENSIONS with different permissions. I am not sure how
> useful that would be atm.
>
> Another option that can be used on its own or with the variable is
> using a directory include, in the php abstraction and then dropping
> extensions to the abstraction in that dir. Basically the directory
> include will include any file in the directory, so to expand the
> abstraction you can just drop in a new file. This can aid packaging,
> as different packages can then drop relevant bits into a file owned
> by the package.
>
> When combined with the variable, it can extend the variable and thus
> all rules referencing it.
Since we are past beta now, for Lucid we should probably try to just
make the minimal change required to fix the bug. As such, I think
adjusting the abstractions to have:
/usr/lib{64,}/php5/*/*.so mr,
would be the best approach. I'd prefer to use a regex instead of '/*/'
but since the version seems to be rather free-form, this seems best.
Opinions?
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
Re: issue with php5 abstraction in apparmor
I am pasting bellow an answer from John Johansen whom is not subscribed
to this list.
On 03/14/2010 11:36 AM, DULMANDAKH Sukhbaatar wrote:
> As new Ubuntu LTS version is approaching I started to think about
> > migrating my servers to it. To make future migrations smooth I started
> > playing with Lucid and testing it. As a part of it I'm creating
> > apparmor profile for php5-cgi. I found apparmor abstraction for php5
> > useful, but found two problems in it. First was just easy so I fixed
> > and filed a bug (#538661 )with patch. And last and bigger is path to
> > php5 extensions.
thanks
> >
> > php5's abstraction is allowing php5 to load its extensions from
> > /usr/lib{64,}/php5/{libexec,extensions}/, but php5-* packages in
> > ubuntu install extensions in /usr/lib/php5/PHP_API_VERSION or
> > /usr/lib/php5/20090626+lfs in Lucid. so php5 cannot load extensions,
> >
> > I was thinking about solutions to it and found three of them. First,
> > let's change abstraction so php5 can load extenstions from
> > /usr/lib/php5/**. Secone one is just change path in php5 abstraction
> > file to include PHP_API_VERSION, and make such change in every
> > release. Last one is change php5 packaging so it'll install extension
> > in fixed directory.
> >
fourth: use a variable to describe extension locations
- basically the same your second solution, except the change is
centralized to a variable.
@{PHP_EXTENSIONS}=/usr/lib{64,}/php5/{libexec,extensions}/
/usr/lib{64,}/PHP_API_VERSION
I know this is already basically centralized in the include but the
variable would allow it to be used separate from the include too.
It also allows easy extension of the abstractions by just assigning
a new value to it.
@{PHP_EXTENSIONS}+=/some/new/path
The variable gives the option of having rules that reference
PHP_EXTENSIONS with different permissions. I am not sure how
useful that would be atm.
Another option that can be used on its own or with the variable is
using a directory include, in the php abstraction and then dropping
extensions to the abstraction in that dir. Basically the directory
include will include any file in the directory, so to expand the
abstraction you can just drop in a new file. This can aid packaging,
as different packages can then drop relevant bits into a file owned
by the package.
When combined with the variable, it can extend the variable and thus
all rules referencing it.
signature.asc
Description: OpenPGP digital signature
--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
issue with php5 abstraction in apparmor
Hello,
As new Ubuntu LTS version is approaching I started to think about
migrating my servers to it. To make future migrations smooth I started
playing with Lucid and testing it. As a part of it I'm creating
apparmor profile for php5-cgi. I found apparmor abstraction for php5
useful, but found two problems in it. First was just easy so I fixed
and filed a bug (#538661 )with patch. And last and bigger is path to
php5 extensions.
php5's abstraction is allowing php5 to load its extensions from
/usr/lib{64,}/php5/{libexec,extensions}/, but php5-* packages in
ubuntu install extensions in /usr/lib/php5/PHP_API_VERSION or
/usr/lib/php5/20090626+lfs in Lucid. so php5 cannot load extensions,
I was thinking about solutions to it and found three of them. First,
let's change abstraction so php5 can load extenstions from
/usr/lib/php5/**. Secone one is just change path in php5 abstraction
file to include PHP_API_VERSION, and make such change in every
release. Last one is change php5 packaging so it'll install extension
in fixed directory.
I thought it would appropriate to discuss it here and find unified
solution for Ubuntu.
--
Regards
Dulmandakh
http://www.dulmandakh.com
http://www.twitter.com/dulmandakh/
--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
