On Wed, May 23, 2018 at 04:00:36PM +0000, daniel curtis wrote:
> Next thing I would like to ask and clarify is an 'Ux' access mode for
> two files:
> '/{usr/,}sbin/initctl' and '/{usr/,}sbin/runlevel' (for a reason for> I would like to ask if 'Ux' could be changed, for example, with 'PUx' > mode? Would not it be a better solution? And what about 'rPUx' (if I Hello Daniel, PUx would indeed be more secure if you were to go to the effort to confine these two programs. However, the system's proper functioning relies upon these two programs to do their task, and you run a very high risk of making your computer non-functional if you screw up these profiles. These profiles would need to include a great deal of privilege. While you could reduce the privileges they have, I'm not sure it is a meaninful reduction. So, yes, you *can* confine these programs. But please be sure to have a recovery plan in place in case you find you cannot reboot your computer. I think you would be better served to spend your time confining programs that have open network sockets but do not yet have profiles. Thanks
signature.asc
Description: PGP signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
