[apparmor] loading a user version of a profile in place of the system profile

[John Beattie]

Hi,

Thanks for apparmor, it is very useful.

I get two behaviours which encourage me to try to make a specialised profile for
open office, first that I get ALLOWED warnings in logwatch and second, open
office doesn't start properly.  I think that the splash window doesn't finish
properly.  This isn't a blocker. If I switch to the document window, everything
is fine.

I have a slightly customised version of usr.lib.libreoffice.program.oosplash and
usr.lib.libreoffice.program.soffice.bin which I have placed at ~/.apparmor.d/.
They do work, if I load them with apparmor_parser.  They work in the sense that
neither of the above behaviours is seen.

After a reboot, I saw that apparmor wasn't using my profiles, so I thought of
clearing the apparmor cache, so I ran these commands

# aa-teardown
# service apparmor stop
# rm /var/cache/apparmor.d/nnnnn/*    # nnnn names the actual cache, I guess
# service apparmor start


However, my user profile was still not used for open office, I get the ALLOWED
warnings in kern.log.

My usecase is that I would like a specialised version of a system profile to be
used for open office when open office is used by me.

I've looked in the wiki but so far all I have found is the policy layout page

https://gitlab.com/apparmor/apparmor/-/wikis/Policy_Layout

and it tells me that ${APPARMOR.D} is used to refer both to the directory in ~
and the one in /etc but without distinguishing them.

Please would someone point me at the documentation which describes the loading
sequence relevant to my usecase?


Many thanks,
John Beattie