On 03.12.2017 13:49, Vincas Dargis wrote: > On 2017-12-03 01:07, Alexander V. Makartsev wrote: >> If I understood this correctly, aa-complain will only switch profile >> to "complain mode"(log, but don't block). This is effectively the >> same as disabling the profile, which is not a good solution. > > I believe "deny" rules still apply even on complain mode. If profile > has "private-files" abstraction included, your ~/.bash* files will be > still protected. > >> "aa-complain" is useful for debugging and writing my own profiles, >> but it won't be as useful when partially broken profile is coming >> from package, because any user-modifications will be over-written >> after package updates. > > User modifications can be place into "local" includes, for Thunderbird > it's `/etc/apparmor.d/local/usr.bin.thunderbird`, they will not be > overwritten. > > Do not forget to reload profile with `sudo apparmor_parser -r > /etc/apparmor.d/usr.bin.thunderbird` afterwards. > > If you believe that these local modifications could be useful for > other use cases, please report a bug with usertag modify-profile or > buggy-profile [0] > > [0] https://wiki.debian.org/AppArmor/Reportbug#Usertags
Thanks for the information. It felt like there should be some way to gracefully override profiles. Definitely gonna test that. Also will eventually go through whole AppArmor documentation as well at http://wiki.apparmor.net/index.php/Documentation -- With kindest regards, Alexander. ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system ⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org ⠈⠳⣄⠀⠀⠀⠀
