On 03/22/2015 04:57 AM, Jon Seymour wrote: > Being somewhat new to the whole crafting of apparmor profiles gig, I am > thinking > I would find the tools 'aa-complain' and 'aa-genprof' to be extremely useful. > > I tried downloading the .deb packages and installing them into /tmp but the > tools don't execute properly when installed this way. I can't install them in > the root file system because the root file system is readonly and I suspect > that > I'll destroy some important invariant if I do. > > So, what is the idiomatic ways to get these tools installed into a snappy > development system to make the whole apparmor profile generation task more > pleasant than it currently is? > For _apps_, the goal of the system is that you don't need to understand/use the low level apparmor syntax/tools and instead focus on simply choosing the right security-template and caps to use[1]. For snappy currently, that is either the default or the unconfined template and using the 'networking' cap currently. If this is not working for people, please file bugs and we'll get it fixed up.
Knowledge of the lowlevel apparmor policy is therefore typically only needed by framework policy authors (see the recent RFC on frameworks to this list) and as you've found out, the apparmor-utils are not installed by default. However, even if they were installed, the tools do not currently support systems using only the systemd journal (ie, systems without /var/log/syslog, like ubuntu-core currently)[1]. Until the tools can be made readily available (eg, as part of 'comfy') I suggest looking at the following for profiling by hand (it isn't usually too hard-- you can also ask any questions in #apparmor on OFTC or #ubuntu-hardened/#snappy on Freenode): * http://wiki.apparmor.net/index.php/Profiling_by_hand * man 5 apparmor.d [1]https://wiki.ubuntu.com/SecurityTeam/Specifications/SnappyConfinement#Native_snap_format [2]https://bugs.launchpad.net/apparmor/+bug/1435440 -- Jamie Strandboge http://www.ubuntu.com/
signature.asc
Description: OpenPGP digital signature
-- snappy-devel mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snappy-devel
