Hi, Sebastian Andrzej Siewior: > On 2019-01-09 08:01:47 [+0000], Witold Baryluk wrote: >> tmpfs on /run type tmpfs (rw,nosuid,noexec,relatime,size=6590668k,mode=755) >> /dev/sda1 on /run/live/medium type iso9660 >> (ro,noatime,nojoliet,check=s,map=n,blocksize=2048) >> /dev/loop0 on /run/live/rootfs/filesystem.squashfs type squashfs (ro,noatime) >> tmpfs on /run/live/overlay type tmpfs (rw,noatime,mode=755) >> overlay on / type overlay >> (rw,noatime,lowerdir=/run/live/rootfs/filesystem.squashfs/,upperdir=/run/live/overlay/rw,workdir=/run/live/overlay/work) >> tmpfs on /usr/lib/live/mount type tmpfs >> (rw,nosuid,noexec,relatime,size=6590668k,mode=755) >> /dev/sda1 on /usr/lib/live/mount/medium type iso9660 >> (ro,noatime,nojoliet,check=s,map=n,blocksize=2048) >> /dev/loop0 on /usr/lib/live/mount/rootfs/filesystem.squashfs type squashfs >> (ro,noatime) >> tmpfs on /usr/lib/live/mount/overlay type tmpfs (rw,noatime,mode=755)
> So the rules are correct in general but due to the overlay the pathname > gets a rw at the front of the path. > Is there something I need to include to profile or is this something > that is not supported? Indeed, unionfs in general are pretty poorly supported by AppArmor at the moment. Adding the attach_disconnected flag, as suggested by Vincas, often helps, but it's not always sufficient. To make AppArmor work with aufs, in Tails we need quite a few custom tricks; and overlayfs will need yet another set of tricks. Cheers, -- intrigeri _______________________________________________ Pkg-clamav-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-clamav-devel
