[apparmor] Patching a system profile for a specific user
azurit at pobox.sk
azurit at pobox.sk
Sat Jan 11 07:25:33 UTC 2020
Hi,
just put this in /etc/apparmor.d/local/usr.bin.thunderbird :
owner @{HOME}/.signature.d/** r,
azur
Citát Sylvain Leroux <sylvain at chicoree.fr>:
>
> Hi everyone,
>
> I'm a seasoned Linux administrator but I have little prior experience
> with AppArmor. FWIW, I already have asked this question on the
> SuperUser StackExchange web site this afternoon [1], but it received
> little interest, and I now have little hopes to have an answer there.
>
> Our Linux Debian boxes have a standard policy for the Thunderbird
> email client in `/etc/apparmor.d/usr.bin.thunderbird`
>
> One user needs Thunderbird to have read access to the files stored in
> his `${HOME}/signature.d/` folder. Is there a way to create a
> user-specific profile that _includes_ the default profile settings,
> but granting extra access the the needed files? I didn't find any
> reference about that particular use case, and my first attempts were
> unsuccessful. But I can't say if my syntax was wrong, of if this
> wasn't possible at all. Here what I tried:
>
>
> ```
> $ cat "${HOME}/.apparmor.d/usr.bin.thunderbird"
>
> #include </etc/apparmor.d/usr.bin.thunderbird>
>
> profile thunderbird @{thunderbird_executable} {
> owner @{HOME}/.signature.d/** r,
> }
>
> $ sudo systemctl restart apparmor
>
> ```
>
>
> This doesn't seem to change anything. At such point I don't think the
> user-specific profile is read at all. Could you help me fixing that?
>
>
> Thanks a lot,
> - - Sylvain Leroux
>
>
>
> [1]
> https://superuser.com/questions/1516181/configure-apparmor-to-allow-file-access-on-a-per-user-basis
>
> - --
> - -- Sylvain Leroux
> - -- sylvain at chicoree.fr
> - -- http://www.chicoree.fr
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/apparmor
More information about the AppArmor
mailing list