On 23/05/15 04:17, intrigeri wrote: > Hi, > > Andreas Beckmann wrote (11 Nov 2014 19:20:37 GMT) : >> Selecting previously unselected package openntpd. >> Preparing to unpack .../openntpd_20080406p-11_amd64.deb ... >> Unpacking openntpd (20080406p-11) ... >> dpkg: error processing archive >> /var/cache/apt/archives/openntpd_20080406p-11_amd64.deb (--unpack): >> trying to overwrite '/etc/apparmor.d/usr.sbin.ntpd', which is also in >> package apparmor-profiles-extra 1.4 >> Errors were encountered while processing: >> /var/cache/apt/archives/openntpd_20080406p-11_amd64.deb > The ntp and openntpd packages both ship /usr/sbin/ntpd, and rightfully > conflict with each other. Since we have a 1-to-1 mapping between > absolute binary names and AppArmor profile (unless we bother confining > stuff via the initscript or systemd unit file, the later not being > supported in sid yet), I think the conflict must be reflected in the > packages that ship the AppArmor profiles. So I see a few solutions: > > 1. Have openntpd conflict with apparmor-profiles-extra. This would be > sad, since it prevents openntpd users from benefiting from other, > unrelated profiles shipped in apparmor-profiles-extra. OTOH this is > very easy and can be temporary, until we can e.g. rename the > profile shipped by openntpd to e.g. system_openntpd, and apply it > with AppArmorProfile= (see systemd.exec(5), that should be possible > soon after Jessie 8.1 is out. > > 2. Remove usr.sbin.ntpd from apparmor-profiles-extra or from openntpd. > Same as above, this can be temporary, until systemd v210+ reaches > sid and we have nicer solutions. > > 3. Move the usr.sbin.ntpd profile from apparmor-profiles-extra to ntp. > This seems to be the obvious best long-term solution, I think. > > Thoughts, opinions, volunteers? > > Dererk: I have added the 'help-needed' usertag for > user=pkg-apparmor-t...@lists.alioth.debian.org, so that this bug is on > the AppArmor team's radar. Thanks intrigeri!
I'm up to whichever option you apparmor jedys consider appropiate. I don't mind any of the scenarios described, but I would prefer to allow users make the most out of the apparmor-profiles-extra collection as well, which seems to conflict with option 1 (at least in the short term). I'm 100% in agreement with you, and that the more appropiate, longterm alternative on all three scenarios would be to convince ntp guys to import the ntp apparmor profile from apparmor-profiles-extra into ntp itself, which I honestly think makes sense (and that is what openntpd does today too). NTP Team, Hi! What would you say about importing ntp apparmor's hardening profile into ntp package? This carries a little bit of work, trivial in my opinion, that is installing the ntp profile, build-depend on dh-apparmor and to Suggest on apparmor for activation runtime. I wouldn't think the changes are more than 4 or 5 lines of diff. What do you think? Cheers, Dererk -- BOFH excuse #306: CPU-angle has to be adjusted because of vibrations coming from the nearby road
signature.asc
Description: OpenPGP digital signature
