Comment 30 for bug 577919

jeremiejig, thanks for your work on this. I think I am going to solve it in a different way however. It would be nice if AppArmor could merge profiles, but we can't yet, so we need to do like you initially did: have two mostly identical profiles. Because the lightdm remote sessions are shipping policy copies, the maintenance cost is getting high. I will be abstracting out the guest rules into abstracations/lightdm and then have a small snippet using a child profile in abstractions/lightdm_chromium-browser. The guest and remote lightdm profiles can just include these and all the policy is in the abstractions. Using a lightdm.d directory is a good idea, but upstream AppArmor is currently discussing how to best handle .d directories like this, and I'd rather not add another one until that discussions is finished.