[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Apparmor pain

On 29/01/2021 13:27, Reco wrote:

On Fri, Jan 29, 2021 at 12:49:42PM +0000, Tony van der Hoff wrote:
This is a simplified scenario: Say I have 2 machines, both running Debian 10.7. Each machine has 3 users: A, B and C. Each machine has an identical (mantained
by Unison) directoery: /home/C/pictures, with permissions ugo:rwx owned by C. Each file therein has permissions ugo:r
I don't understand why my two machines are behaving so differently.

uid difference between hosts A and B, most probably.
Along the other things, thunderbird's apparmor policy contains this:

     owner @{HOME}/** r,

I.e. it's allowed to read any file at /home as long as the file is owned
by thunderbird's uid.

I don't think I really want apparmor running at all,

Add apparmor=0 to kernel's cmdline. Building a kernel without apparmor
helps with that too, but that's straying too far from Debian's defaults.

The debian wiki gives me a way to disable apparmor by patching grub,
but that seems like overkill.

You probably got it wrong. Modifying a kernel cmdline and rebuilding
grub with custom patches are different, and they should suggest former
at Debian's wiki.

Does anyone pease have any suggestions on how to enable an application
without major surgery? any help appreciated. Thanks

Disabling a problematic apparmor profile altogether is done by:

/usr/sbin/aa-disable /usr/bin/thunderbird

Disabling a problematic apparmor profile but keeping audit records
generation is done by

/usr/sbin/aa-complain /usr/bin/thunderbird

You'll want the first one, probably.


Thanks, Reco, that was just the information I needed. I had to install apparmor-utils, but otherwise aa-disable did the job.

Cheers, Tony
Tony van der Hoff        | mailto:tony@vanderhoff.org
Buckinghamshire, England |

Reply to: