On Sat, 2016-07-30 at 14:28 +0200, intrigeri wrote: > Hi, > > Guido Günther: > > > > so how can I find out why the access is still blocked although I added > > an explicit allow line? I kind of suspect that reloading the profile > > does not work but have nothing that supports this (reloading without > > cache, and in verbose mode all look good). > apparmor(7) reads: > > Profiles are applied to a process at exec(3) time (as seen through the > execve(2) system call); an already running process cannot be confined. > However, once a profile is loaded for a program, that program will be > confined on the next exec(3). > > The way I understand it, this implies that a modified+reloaded profile > will only be applied to the confined program next time it is executed. > apparmor_parser -r ... actually allows to replace the profile for a running process. The trick is that the process needs to be running under a profile first before the profile can be replaced. Put another way-- if a program is launched unconfined, then you may not come later and confine it. If a program is launched under a profile (even if it is super strict or lenient), you can replace that profile and have it apply to the running process. The man page is not at all clear on this point and that is a bug in the man page.
-- Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
