mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-12-25 06:27:49 +01:00
build: default to complain mode.
This commit is contained in:
parent
5f49ffeb94
commit
0177b68308
3 changed files with 12 additions and 14 deletions
2
PKGBUILD
2
PKGBUILD
|
@ -20,7 +20,7 @@ prepare() {
|
||||||
git clone "$startdir" "$srcdir/$pkgname"
|
git clone "$startdir" "$srcdir/$pkgname"
|
||||||
cd "$srcdir/$pkgname"
|
cd "$srcdir/$pkgname"
|
||||||
|
|
||||||
./configure
|
./configure --complain
|
||||||
}
|
}
|
||||||
|
|
||||||
build() {
|
build() {
|
||||||
|
|
22
README.md
22
README.md
|
@ -44,6 +44,8 @@ This is fundamentally different from how AppArmor is used on Linux server as it
|
||||||
|
|
||||||
## Installation
|
## Installation
|
||||||
|
|
||||||
|
> **Warning**: In order to not break your system, the default package configuration install all profiles in complain mode. They can be enforced later. See [Enforce Mode](#enfore_mode)
|
||||||
|
|
||||||
**Requirements**
|
**Requirements**
|
||||||
* An `apparmor` based linux distribution.
|
* An `apparmor` based linux distribution.
|
||||||
* Base profiles and abstractions shipped with AppArmor are supposed to be
|
* Base profiles and abstractions shipped with AppArmor are supposed to be
|
||||||
|
@ -62,7 +64,6 @@ sudo pacman -U apparmor.d-*.pkg.tar.zst \
|
||||||
--overwrite etc/apparmor.d/abstractions/trash
|
--overwrite etc/apparmor.d/abstractions/trash
|
||||||
```
|
```
|
||||||
|
|
||||||
> **Warning**: for a first install, it is recommanded to install all profiles in complain mode. See [Complain mode](#troubleshooting)
|
|
||||||
|
|
||||||
**Debian / Ubuntu**
|
**Debian / Ubuntu**
|
||||||
|
|
||||||
|
@ -74,8 +75,6 @@ dpkg-buildpackage -b -d --no-sign
|
||||||
sudo dpkg -i ../apparmor.d_*_all.deb
|
sudo dpkg -i ../apparmor.d_*_all.deb
|
||||||
```
|
```
|
||||||
|
|
||||||
> **Warning**: for a first install, it is recommanded to install all profiles in complain mode. See [Complain mode](#troubleshooting)
|
|
||||||
|
|
||||||
**Partial install**
|
**Partial install**
|
||||||
|
|
||||||
For test purpose, you can install a specific profile with the following commands. The tool will also install required abstractions and tunables:
|
For test purpose, you can install a specific profile with the following commands. The tool will also install required abstractions and tunables:
|
||||||
|
@ -162,18 +161,17 @@ profile, create a file `/etc/apparmor.d/local/gnome-shell` and add your rules.
|
||||||
Then, reload the apparmor rules with `sudo systemctl restart apparmor`.
|
Then, reload the apparmor rules with `sudo systemctl restart apparmor`.
|
||||||
|
|
||||||
|
|
||||||
## Troubleshooting
|
## Enfore Mode
|
||||||
|
|
||||||
**Complain mode**
|
The default package configuration installs all profile in *complain* mode.
|
||||||
|
You can easily swicth to *enforce* mode. To do this, edit `PKGBUILD` on Archlinux or `debian/rules` on Debian and remove the `--complain` option to the configure script. Then build the package as usual:
|
||||||
On first install and for test purposes, it is recommended to pass all profiles
|
```diff
|
||||||
in *complain* mode. To do this, edit `PKGBUILD` on Archlinux or `debian/rules`
|
- ./configure --complain
|
||||||
on Debian and add the `--complain` option to the configure script. Then build
|
+ ./configure
|
||||||
the package as usual:
|
|
||||||
```sh
|
|
||||||
./configure --complain
|
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Troubleshooting
|
||||||
|
|
||||||
**AppArmor messages**
|
**AppArmor messages**
|
||||||
|
|
||||||
Ensure that `auditd` is installed and running on your system in order to read
|
Ensure that `auditd` is installed and running on your system in order to read
|
||||||
|
|
2
debian/rules
vendored
2
debian/rules
vendored
|
@ -13,7 +13,7 @@
|
||||||
go build ./cmd/aa-log
|
go build ./cmd/aa-log
|
||||||
|
|
||||||
override_dh_auto_configure:
|
override_dh_auto_configure:
|
||||||
./configure
|
./configure --complain
|
||||||
|
|
||||||
override_dh_install:
|
override_dh_install:
|
||||||
mv systemd system
|
mv systemd system
|
||||||
|
|
Loading…
Reference in a new issue