[pkg-apparmor] Bug#656451: Bug#656451: Bug#656451: apparmor-profiles: unowned files after purge (policy 6.8, 10.8)

[Felix Geyer]

Control: tags -1 pending

On 09.06.2015 16:47, Jamie Strandboge wrote:
> On 06/08/2015 05:34 PM, Felix Geyer wrote:
>> Hi,
>>
>> On 09.06.2015 00:13, Andreas Beckmann wrote:
>>> Followup-For: Bug #656451
>>>
>>> Looks like the unowned files have returned:
>>>
>>> 0m47.7s ERROR: FAIL: Package purging left files on system:
>>>   /etc/apparmor.d/local/bin.ping	 not owned
>>>   /etc/apparmor.d/local/sbin.klogd	 not owned
>>>   /etc/apparmor.d/local/sbin.syslog-ng	 not owned
>>>   [...]
>>
>> debian/rules calls /usr/bin/dh_apparmor if it exists.
>> Since it doesn't build-depend on itself this is not the case in a minimal build environment.
>>
>> It should be possible to call the dh_apparmor from the source tree by setting
>> DH_AUTOSCRIPTDIR to debian/debhelper/.
>>
>>
>> More generally is there a good reason why dh_apparmor creates the
>> /etc/apparmor.d/local/<profile> files in postinst instead of installing
>> them as regular conffiles?
>> That way we'd get the file removal handling for free.
>>
> We don't want them handled as conffiles because we don't want prompts on
> upgrades. These are site-specific files and the idea is create it if it doesn't
> exist and then leave it alone thereafter (this way the admin can modify this
> file rather than the profile in /etc/apparmor.d, which is a conffile).

Right I get that. In practice you wouldn't get prompts provided that the dh_apparmor output is stable.
Anyway I guess there is not much to be gained by changing this now.

I've committed a fix for bug #656451:
https://alioth.debian.org/scm/loggerhead/collab-maint/apparmor/revision/1524

Felix

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/attachments/20150611/ad20efc4/attachment.sig>