[apparmor] Patching a system profile for a specific user
John Johansen
john.johansen at canonical.com
Sat Jan 11 11:20:39 UTC 2020
On 1/11/20 2:40 AM, azurit at pobox.sk wrote:
> Citát Sylvain Leroux <sylvain at chicoree.fr>:
>
>> Thanks azur,
>>
>> On 11/01/2020 08:25, azurit at pobox.sk wrote:
>>> just put this in /etc/apparmor.d/local/usr.bin.thunderbird :
>>> owner @{HOME}/.signature.d/** r,
>>
>>
>> My issue is I don't want to change the system configuration.
>
>
> This isnt' possible. That file is used to local changes only and won't be replaced with updates.
>
>
>
>> I would like to grant the extra permission *only* for the user that needs it.
>
> So do this:
>
> owner /home/specific_user/.signature.d/** r,
>
this is your best bet atm, you can do it without modifying the profile by adding
a site specific rule if you are using any somewhat modern version of the profile.
You can check by looking for the following rule
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.thunderbird>
you can drop the above rule
owner /home/specific_user/.signature.d/** r,
into the /etc/apparmor.d/local/usr.bin.thunderbird file (if it doesn't exist
just create it) and this will give you your site specific rule without having
to modify the profile.
See my other mail for a different more involved way to do it.
More information about the AppArmor
mailing list