Comment 1 for bug 317109

I just check the apparmor profiles for Hardy, Intrepid and Jaunty, and they all have (after including the abstractions):
  #include <abstractions/ssl_certs>
  /etc/ssl/private/ r,
  /etc/ssl/private/* r,

This works out to:
  /etc/ssl/ r,
  /etc/ssl/certs/ r,
  /etc/ssl/certs/* r,
  /etc/ssl/private/ r,
  /etc/ssl/private/* r,

I think if this is going to be fixed, it should be fixed in the apparmor package, so am moving it there. The question then becomes, should /etc/apparmor.d/abstractions/ssl_certs become:
  /etc/ssl/ r,
  /etc/ssl/* r,

This would obviate the need for references to /etc/ssl/private/ (and abstractions/ssl_keys on Jaunty). What do people think?