On 29/01/2021 13:27, Reco wrote:
Hi.
On Fri, Jan 29, 2021 at 12:49:42PM +0000, Tony van der Hoff wrote:
This is a simplified scenario: Say I have 2 machines, both running Debian 10.7.
Each machine has 3 users: A, B and C. Each machine has an identical (mantained
by Unison) directoery: /home/C/pictures, with permissions ugo:rwx owned by C.
Each file therein has permissions ugo:r
...
I don't understand why my two machines are behaving so differently.
uid difference between hosts A and B, most probably.
Along the other things, thunderbird's apparmor policy contains this:
owner @{HOME}/** r,
I.e. it's allowed to read any file at /home as long as the file is owned
by thunderbird's uid.
I don't think I really want apparmor running at all,
Add apparmor=0 to kernel's cmdline. Building a kernel without apparmor
helps with that too, but that's straying too far from Debian's defaults.
The debian wiki gives me a way to disable apparmor by patching grub,
but that seems like overkill.
You probably got it wrong. Modifying a kernel cmdline and rebuilding
grub with custom patches are different, and they should suggest former
at Debian's wiki.
Does anyone pease have any suggestions on how to enable an application
without major surgery? any help appreciated. Thanks
Disabling a problematic apparmor profile altogether is done by:
/usr/sbin/aa-disable /usr/bin/thunderbird
Disabling a problematic apparmor profile but keeping audit records
generation is done by
/usr/sbin/aa-complain /usr/bin/thunderbird
You'll want the first one, probably.
Reco
Thanks, Reco, that was just the information I needed. I had to install
apparmor-utils, but otherwise aa-disable did the job.
Cheers, Tony
--
Tony van der Hoff | mailto:t...@vanderhoff.org
Buckinghamshire, England |
