[apparmor] [PATCH] local site-specific changes
Jamie Strandboge
jamie at canonical.com
Fri Aug 13 14:25:07 BST 2010
On Fri, 2010-08-13 at 05:54 -0700, Steve Beattie wrote:
> On Thu, Aug 05, 2010 at 03:18:22PM -0500, Jamie Strandboge wrote:
> > As mentioned in the last meeting, there is a desire to all
> > administrators to adjust/override a shipped profile via an include file.
> > Attached is a patch that achieves this.
> >
> > Profiles in profiles/apparmor.d/* now include (with comment)
> > local/path.to.binary
> >
> > /etc/apparmor.d/local/path.to.binary has only a comment
> >
> > /etc/aparmor.d/local/README explains what this is all about
> >
> > profiles/Makefile is adjusted to create
> > profiles/apparmor.d/local/paths.to.binaries and install them. 'clean'
> > will clean them up.
>
> Alas, all this doesn't lead to the usability improvements you might
> think it does, as on reload, the parser doesn't detect that the local/
> files have changed, the cached blob is reloaded, and whatever policy
> issue the admin is trying to address remains unaddressed in the
> policies currently loaded into the kernel.
>
> I've filed LP: #617375 about the issue.
>
This should certainly be fixed, but I've been telling people (online and
in wiki documentation) to do the following to reload a specific profile,
since using the initscript is so heavy handed:
apparmor_parser -r -W -T /etc/apparmor.d/...
I assume you are suggesting that '-r' here also look at the includes.
--
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : https://lists.ubuntu.com/archives/apparmor/attachments/20100813/aa33fa7c/attachment.pgp
More information about the AppArmor
mailing list