Re: Apparmor pain

To: debian-user@lists.debian.org
Subject: Re: Apparmor pain
From: Brian <ad44@cityscape.co.uk>
Date: Fri, 29 Jan 2021 15:47:54 +0000
Message-id: <[🔎] 29012021154454.f605a71d360b@desktop.copernicus.org.uk>
In-reply-to: <[🔎] 3a4b72af-fe23-f784-fc58-38ad9adfc1ca@vanderhoff.org>
References: <[🔎] c08377ed-6824-519e-1942-c25228c97e06@vanderhoff.org> <[🔎] E1l5ToO-0005Bk-8w@enotuniq.net> <[🔎] 3a4b72af-fe23-f784-fc58-38ad9adfc1ca@vanderhoff.org>

On Fri 29 Jan 2021 at 14:21:07 +0000, Tony van der Hoff wrote:

> 
> 
> On 29/01/2021 13:27, Reco wrote:
> > 	Hi.
> > 
> > On Fri, Jan 29, 2021 at 12:49:42PM +0000, Tony van der Hoff wrote:
> > > This is a simplified scenario: Say I have 2 machines, both running Debian 10.7. Each machine has 3 users: A, B and C. Each machine has an identical (mantained
> > > by Unison) directoery: /home/C/pictures, with permissions ugo:rwx owned by C. Each file therein has permissions ugo:r
> > ...
> > > I don't understand why my two machines are behaving so differently.
> > 
> > uid difference between hosts A and B, most probably.
> > Along the other things, thunderbird's apparmor policy contains this:
> > 
> >      owner @{HOME}/** r,
> > 
> > I.e. it's allowed to read any file at /home as long as the file is owned
> > by thunderbird's uid.
> > 
> > 
> > > I don't think I really want apparmor running at all,
> > 
> > Add apparmor=0 to kernel's cmdline. Building a kernel without apparmor
> > helps with that too, but that's straying too far from Debian's defaults.
> > 
> > 
> > > The debian wiki gives me a way to disable apparmor by patching grub,
> > > but that seems like overkill.
> > 
> > You probably got it wrong. Modifying a kernel cmdline and rebuilding
> > grub with custom patches are different, and they should suggest former
> > at Debian's wiki.
> > 
> > 
> > > Does anyone pease have any suggestions on how to enable an application
> > > without major surgery? any help appreciated. Thanks
> > 
> > Disabling a problematic apparmor profile altogether is done by:
> > 
> > /usr/sbin/aa-disable /usr/bin/thunderbird
> > 
> > Disabling a problematic apparmor profile but keeping audit records
> > generation is done by
> > 
> > /usr/sbin/aa-complain /usr/bin/thunderbird
> > 
> > You'll want the first one, probably.
> > 
> > Reco
> > 
> 
> Thanks, Reco, that was just the information I needed. I had to install
> apparmor-utils, but otherwise aa-disable did the job.

Debian's default provision of apparmor is something I can take or
leave. Generally, I leave it by purging it from the system rather
than installing another unneeded package.

-- 
Brian.

Reply to:

References:
- Apparmor pain
  - From: Tony van der Hoff <lists@vanderhoff.org>
- Re: Apparmor pain
  - From: Reco <recoverym4n@enotuniq.net>
- Re: Apparmor pain
  - From: Tony van der Hoff <lists@vanderhoff.org>

Prev by Date: Re: Sudo ... use or delete?
Next by Date: Re: Sudo ... use or delete?
Previous by thread: Re: Apparmor pain
Next by thread: Re: Apparmor pain
Index(es):
- Date
- Thread