[apparmor] AppArmor and kernel capabilities

linux maillist mailinglisten at posteo.de
Tue Sep 12 17:04:06 UTC 2017

Good day,

I run AppArmor version 2.10.2 on a kernel 4.4 system.

I creates a profile for gpg and that profile requested now the
capability dac_override.

This raises some questions to me. First, does dac_override honor the
folder permission rules within the profile? For example, if there is a
rule "/foo/** r," does dac_override this rule?

If dac_override still honors the folder rules, what then is the point to
ask for that capability?

Lastly, why is that capability requested at all?

Normally AppArmor complains if r/w to a certain file/folder is needed.
But, here a capability was requested.
Requesting dac_override does not give any hint, what file or folder is
required to access...

Would be nice if someone could give me a hint on that CAP vs AppArmor
issue :-)

More information about the AppArmor mailing list