build: default to complain mode.

This commit is contained in:
Alexandre Pujol 2022-09-13 18:14:58 +01:00
parent 5f49ffeb94
commit 0177b68308
Failed to generate hash of commit
3 changed files with 12 additions and 14 deletions

View file

@ -20,7 +20,7 @@ prepare() {
git clone "$startdir" "$srcdir/$pkgname" git clone "$startdir" "$srcdir/$pkgname"
cd "$srcdir/$pkgname" cd "$srcdir/$pkgname"
./configure ./configure --complain
} }
build() { build() {

View file

@ -44,6 +44,8 @@ This is fundamentally different from how AppArmor is used on Linux server as it
## Installation ## Installation
> **Warning**: In order to not break your system, the default package configuration install all profiles in complain mode. They can be enforced later. See [Enforce Mode](#enfore_mode)
**Requirements** **Requirements**
* An `apparmor` based linux distribution. * An `apparmor` based linux distribution.
* Base profiles and abstractions shipped with AppArmor are supposed to be * Base profiles and abstractions shipped with AppArmor are supposed to be
@ -62,7 +64,6 @@ sudo pacman -U apparmor.d-*.pkg.tar.zst \
--overwrite etc/apparmor.d/abstractions/trash --overwrite etc/apparmor.d/abstractions/trash
``` ```
> **Warning**: for a first install, it is recommanded to install all profiles in complain mode. See [Complain mode](#troubleshooting)
**Debian / Ubuntu** **Debian / Ubuntu**
@ -74,8 +75,6 @@ dpkg-buildpackage -b -d --no-sign
sudo dpkg -i ../apparmor.d_*_all.deb sudo dpkg -i ../apparmor.d_*_all.deb
``` ```
> **Warning**: for a first install, it is recommanded to install all profiles in complain mode. See [Complain mode](#troubleshooting)
**Partial install** **Partial install**
For test purpose, you can install a specific profile with the following commands. The tool will also install required abstractions and tunables: For test purpose, you can install a specific profile with the following commands. The tool will also install required abstractions and tunables:
@ -162,18 +161,17 @@ profile, create a file `/etc/apparmor.d/local/gnome-shell` and add your rules.
Then, reload the apparmor rules with `sudo systemctl restart apparmor`. Then, reload the apparmor rules with `sudo systemctl restart apparmor`.
## Troubleshooting ## Enfore Mode
**Complain mode** The default package configuration installs all profile in *complain* mode.
You can easily swicth to *enforce* mode. To do this, edit `PKGBUILD` on Archlinux or `debian/rules` on Debian and remove the `--complain` option to the configure script. Then build the package as usual:
On first install and for test purposes, it is recommended to pass all profiles ```diff
in *complain* mode. To do this, edit `PKGBUILD` on Archlinux or `debian/rules` - ./configure --complain
on Debian and add the `--complain` option to the configure script. Then build + ./configure
the package as usual:
```sh
./configure --complain
``` ```
## Troubleshooting
**AppArmor messages** **AppArmor messages**
Ensure that `auditd` is installed and running on your system in order to read Ensure that `auditd` is installed and running on your system in order to read

2
debian/rules vendored
View file

@ -13,7 +13,7 @@
go build ./cmd/aa-log go build ./cmd/aa-log
override_dh_auto_configure: override_dh_auto_configure:
./configure ./configure --complain
override_dh_install: override_dh_install:
mv systemd system mv systemd system