[apparmor] understanding apparmor_parser debug output

Vincas Dargis vindrg at gmail.com
Sat Apr 1 06:38:27 UTC 2017


2017.04.01 02:55, John Johansen rašė:
> The denied info is stored as a separate flag, and I would say it is a bug that debug is not outputing it.

Should I report it in the Launchpad? Or it's good enough to get you noted here?

> Overall, I would say auditing profiles is far to hard at the moment and we need some lint, and auditing tools to help with the process

Yeah, maybe some GUI/TUI tool would be useful, that would display your actual file system tree marked with 
red/green/whatever colors or other symbolism, showing what confined application can actually (or conceptually if actual 
file/direcotry or a pattern, mentioned in profile, does not yet exist) access when inspected profile is in effect.



More information about the AppArmor mailing list