[apparmor] Question about defining a profile name via @{exec_path} variable
Mikhail Morfikov
mmorfikov at gmail.com
Thu Jan 10 02:33:39 UTC 2019
On 10/01/2019 01:31, John Johansen wrote:
> Well this is certainly allowed, and the python based tools should be able
> to support it. Are you sure they weren't failing in the past? If so this
> would be a regression.
I have around 300 profiles, some of them are disabled because they're not
finished yet, but currently I have:
# aa-status
apparmor module is loaded.
230 profiles are loaded.
164 profiles are in enforce mode.
...
And I've been frequently using aa-complain/aa-enforce, because sometimes
profiles have to be fixed, and if you have that many profiles, you do it
from time to time. And the tools were working fine. aa-disable also was
working, but now:
# aa-disable usr.bin.keepassxc
ERROR: Profile for @{exec_path} exists in ...
I thought maybe it was an error in the profiles, because the tools often
fail when there's some syntax error. But I removed the profiles that were
listed in the error, and I got two other conflicting profiles with the
@{exec_path} variable. So I'm pretty sure it was working well before.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20190110/02417125/attachment.sig>
More information about the AppArmor
mailing list