[apparmor] understanding apparmor_parser debug output
vindrg at gmail.com
Sat Apr 1 06:38:27 UTC 2017
2017.04.01 02:55, John Johansen rašė:
> The denied info is stored as a separate flag, and I would say it is a bug that debug is not outputing it.
Should I report it in the Launchpad? Or it's good enough to get you noted here?
> Overall, I would say auditing profiles is far to hard at the moment and we need some lint, and auditing tools to help with the process
Yeah, maybe some GUI/TUI tool would be useful, that would display your actual file system tree marked with
red/green/whatever colors or other symbolism, showing what confined application can actually (or conceptually if actual
file/direcotry or a pattern, mentioned in profile, does not yet exist) access when inspected profile is in effect.
More information about the AppArmor