On Mon, Mar 19, 2018 at 10:10:02AM -0400, Marvin Renich wrote:
> Is there a way that an app (e.g. smbd) whose file access requirements
> change dynamically through admin and user configuration can at least
> inspect its own apparmor profile and give the user a clue that the admin
> must update the profile?

Our friends at SUSE have a script that automatically generates portions of
an AppArmor profile for Samba based on the Samba configuration:
https://bugzilla.novell.com/show_bug.cgi?id=688040

I'm not entirely sold on the idea, as a hand-authored security policy
can serve as belt-and-suspenders against misconfiguration or a broken
management system that allows unauthenticated users to create too-wide
shares.

The usability gain is undeniable.

Thanks

Attachment: signature.asc
Description: PGP signature

Reply via email to