[25704] in Source-Commits
Re: /svn/athena r25174 -
daemon@ATHENA.MIT.EDU (Geoffrey Thomas)
Wed Jun 29 03:23:52 2011
Date: Wed, 29 Jun 2011 03:23:45 -0400 (EDT)
From: Geoffrey Thomas <geofft@MIT.EDU>
To: Jonathan D Reed <jdreed@mit.edu>
cc: source-commits@mit.edu
In-Reply-To: <201106282130.p5SLURhx023666@drugstore.mit.edu>
Message-ID: <alpine.DEB.2.00.1106290304430.26413@tyger.mit.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
NACK. The postinsts that are supposed to generate these files take two
more steps: first, they put a comment explaining them, and second and more
importantly, they make sure the parent directory exists. dh_apparmor does
this:
# Add the local/ include
LOCAL_APP_PROFILE=/etc/apparmor.d/local/usr.sbin.cupsd
test -e "$LOCAL_APP_PROFILE" || {
tmp=`mktemp`
cat <<EOM > "$tmp"
# Site-specific additions and overrides for usr.sbin.cupsd.
# For more details, please see /etc/apparmor.d/local/README.
EOM
mkdir `dirname $LOCAL_APP_PROFILE` 2>/dev/null || true
mv -f "$tmp" "$LOCAL_APP_PROFILE"
chmod 644 "$LOCAL_APP_PROFILE"
}
I don't think much of this is necessary, but a mkdir -p would be nice to
prevent the install from failing completely if /etc/apparmor.d/local
doesn't exist. There are cases where it doesn't, notably including Lucid
and Debian, and your postinst would fail there.
That said, it's only on Maverick and higher that the local directory
exists at all. There's no serious harm in creating these everywhere, but
one reasonably clean way to address this would be to test -x
/usr/bin/dh_apparmor at build time before putting this in the postinst, so
it's only run on releases where dh_apparmor would have wanted to create
the local file anyway. (Unfortunately, dh_apparmor's snippet wraps the
code in a test -f /etc/apparmor.d/$PROFILE, and we only are guaranteed to
have $PROFILE.debathena when this runs, so we can't abuse dh_apparmor
itself.)
--
Geoffrey Thomas
geofft@mit.edu
On Tue, 28 Jun 2011, Jonathan D Reed wrote:
> Author: jdreed
> Date: 2011-06-28 17:30:27 -0400 (Tue, 28 Jun 2011)
> New Revision: 25174
>
> Modified:
> trunk/debathena/config/apparmor-config/debian/changelog
> trunk/debathena/config/apparmor-config/debian/debathena-apparmor-config.postinst
> Log:
> In apparmor-config:
> * ensure local/usr.sbin/cupsd and local/usr.sbin.ntpd files exist even
> if those packages aren't installed (Trac: #737)
>
>
> Modified: trunk/debathena/config/apparmor-config/debian/changelog
> ===================================================================
> --- trunk/debathena/config/apparmor-config/debian/changelog 2011-06-27 19:18:51 UTC (rev 25173)
> +++ trunk/debathena/config/apparmor-config/debian/changelog 2011-06-28 21:30:27 UTC (rev 25174)
> @@ -1,3 +1,10 @@
> +debathena-apparmor-config (1.2.1) unstable; urgency=low
> +
> + * ensure local/usr.sbin/cupsd and local/usr.sbin.ntpd files exist even
> + if those packages aren't installed (Trac: #737)
> +
> + -- Jonathan Reed <jdreed@mit.edu> Tue, 28 Jun 2011 17:27:26 -0400
> +
> debathena-apparmor-config (1.2) unstable; urgency=low
>
> * Transform <abstractions/nameservice> to allow reading
>
> Modified: trunk/debathena/config/apparmor-config/debian/debathena-apparmor-config.postinst
> ===================================================================
> --- trunk/debathena/config/apparmor-config/debian/debathena-apparmor-config.postinst 2011-06-27 19:18:51 UTC (rev 25173)
> +++ trunk/debathena/config/apparmor-config/debian/debathena-apparmor-config.postinst 2011-06-28 21:30:27 UTC (rev 25174)
> @@ -84,6 +84,11 @@
> cleanup_old_diversion /etc/apparmor.d/tunables/home
> fi
>
> + # Ensure local files exist
> + for f in usr.sbin.cupsd usr.sbin.ntpd; do
> + [ -f "/etc/apparmor.d/local/$f" ] || touch "/etc/apparmor.d/local/$f"
> + done
> +
> if hash apparmor_status 2>/dev/null && apparmor_status --enabled; then
> if hash invoke-rc.d 2>/dev/null; then
> invoke-rc.d apparmor reload
>
>