On 03.12.2017 13:49, Vincas Dargis
wrote:
On
2017-12-03 01:07, Alexander V. Makartsev wrote:
If I understood this correctly,
aa-complain will only switch profile to "complain mode"(log, but
don't block). This is effectively the same as disabling the
profile, which is not a good solution.
I believe "deny" rules still apply even on complain mode. If
profile has "private-files" abstraction included, your ~/.bash*
files will be still protected.
"aa-complain" is useful for debugging and
writing my own profiles, but it won't be as useful when
partially broken profile is coming from package, because any
user-modifications will be over-written after package updates.
User modifications can be place into "local" includes, for
Thunderbird it's `/etc/apparmor.d/local/usr.bin.thunderbird`, they
will not be overwritten.
Do not forget to reload profile with `sudo apparmor_parser -r
/etc/apparmor.d/usr.bin.thunderbird` afterwards.
If you believe that these local modifications could be useful for
other use cases, please report a bug with usertag modify-profile
or buggy-profile [0]
[0] https://wiki.debian.org/AppArmor/Reportbug#Usertags
Thanks for the information. It felt like there should be some way
to gracefully override profiles. Definitely gonna test that.
Also will eventually go through whole AppArmor documentation as
well at http://wiki.apparmor.net/index.php/Documentation
--
With kindest regards, Alexander.
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org
⠈⠳⣄⠀⠀⠀⠀
|