Hello, Am Dienstag, 20. November 2018, 17:46:27 CET schrieb Stephen Dowdy: > (would be > nice if there was a tool for the desktop to issue notifications in > these cases. maybe there is, but my lack of searching for it has > amazingly not revealed it! ;))
You are probably looking for
sudo /usr/sbin/aa-notify -p --display $DISPLAY -w 10
(no idea if /var/log/audit/audit.log is readable for users on Debian -
if it is, you can run aa-notify without sudo)
> Seems that the latest thunderbird update should honor the aa-complain
> status of my system.
>
> Looking at : /var/lib/dpkg/info/thunderbird.postinst
>
> I see some logic that looks like i should be using a "disable" link.
> That seems like it would be different, however, than just setting it
> to 'complain' mode.
Right, disable and compain mode are different.
The "disable" symlinks will completely disable the profile (it will
prevent loading it), which means running Thunderbird unconfined.
Complain mode means to load the profile, allow everything [1], and log
things that would be denied.
Typically complain mode gets set by adding flags=(complain) to the
profile. There's an alternative solution - you can create a symlink in
/etc/apparmor.d/force-complain/ . While a force-complain symlink makes
things easier for package management, there's a known issue: the binary
profile cache won't be used for those profiles, so loading the profiles
on startup is slower.
> (i see that this bug is still in
> 'thunderbird', and the apparmor file is dpkg-owned by thunderbird, so
> maybe just consider this comment a bug report addition)
If the file belongs to Thunderbird, the bugreport also belongs there ;-)
(and there are enough AppArmor people in CC)
Regards,
Christian Boltz
[1] There's one exception: explicit "deny" rules will be enforced even
in complain mode.
--
Last I checked, developers were still human
[Bryen M Yunashko in opensuse-project]
signature.asc
Description: This is a digitally signed message part.
