[apparmor] permissions on profiles in /etc/apparmor.d

Berkeley Roshan Churchill berkeleychurchill at gmail.com
Fri Aug 22 22:00:01 UTC 2014


Hi folks,

    I'm having trouble correctly setting permissions on profiles in the
/etc/apparmor.d folder.

    On my systems, some of these files have permissions 0600 and other
have 0644.  My instinct is that 0600 is preferable, since I see no
reason for non-root users to access them.  However, every time I run my
configuration management system, and it changes a file from 0644 to
0600, and then runs aa-enforce, it causes the file to revert back to
0644.  Any idea what's going on here?  Is there a best practice in this
regard that I should follow?

Best wishes,
Berkeley



More information about the AppArmor mailing list