Re: Apparmor pain
Hi.
On Fri, Jan 29, 2021 at 12:49:42PM +0000, Tony van der Hoff wrote:
> This is a simplified scenario: Say I have 2 machines, both running Debian 10.7. Each machine has 3 users: A, B and C. Each machine has an identical (mantained
> by Unison) directoery: /home/C/pictures, with permissions ugo:rwx owned by C. Each file therein has permissions ugo:r
...
> I don't understand why my two machines are behaving so differently.
uid difference between hosts A and B, most probably.
Along the other things, thunderbird's apparmor policy contains this:
owner @{HOME}/** r,
I.e. it's allowed to read any file at /home as long as the file is owned
by thunderbird's uid.
> I don't think I really want apparmor running at all,
Add apparmor=0 to kernel's cmdline. Building a kernel without apparmor
helps with that too, but that's straying too far from Debian's defaults.
> The debian wiki gives me a way to disable apparmor by patching grub,
> but that seems like overkill.
You probably got it wrong. Modifying a kernel cmdline and rebuilding
grub with custom patches are different, and they should suggest former
at Debian's wiki.
> Does anyone pease have any suggestions on how to enable an application
> without major surgery? any help appreciated. Thanks
Disabling a problematic apparmor profile altogether is done by:
/usr/sbin/aa-disable /usr/bin/thunderbird
Disabling a problematic apparmor profile but keeping audit records
generation is done by
/usr/sbin/aa-complain /usr/bin/thunderbird
You'll want the first one, probably.
Reco
Reply to: