[added d-dev back] * intrigeri <intrig...@debian.org> [180319 07:40]: > Marvin Renich: > > Actually, a short beginner's guide as a text file in > > /usr/share/doc/apparmor, which has more than just "how to disable a > > profile" would be extremely helpful. I don't have the apparmor > > knowledge to write it, though. > > FYI the most useful bits were added to > https://wiki.debian.org/AppArmor/HowToUse > which is linked from /usr/share/doc/apparmor/README.Debian :) > > It's only a start and there's lots of room for improvement, > but it's a start.
Thanks for this pointer! Adding these two links [1], [2] on that page might be helpful. I found them by following links to [3]. As a side note, my laptop runs testing, and I allowed apparmor to be enabled when that change hit testing. The only issue I have noticed so far is that smbd would not have access to some (intentionally public, not in /home) shares if it were in enforce mode, rather than complain mode. If I were not aware of apparmor, and if smbd were in enforce mode, I would have had a difficult time tracking this down. Is there a way that an app (e.g. smbd) whose file access requirements change dynamically through admin and user configuration can at least inspect its own apparmor profile and give the user a clue that the admin must update the profile? For Samba, perhaps at least a comment in /etc/samba/smb.conf at "Share Definitions" giving a reminder that if any LSM is enabled, the LSM config may need to be updated to reflect changes to shares. (Samba maintainers added to CC; please remove them for replies not pertaining to samba.) ...Marvin [1] Creating and modifying AppArmor policy with the tools https://gitlab.com/apparmor/apparmor/wikis/Profiling_with_tools [2] Creating and modifying AppArmor policy by hand https://gitlab.com/apparmor/apparmor/wikis/Profiling_by_hand [3] https://gitlab.com/apparmor/apparmor/wikis/Documentation