build: default to complain mode.

This commit is contained in:
Alexandre Pujol 2022-09-13 18:14:58 +01:00
parent 5f49ffeb94
commit 0177b68308
Failed to generate hash of commit
3 changed files with 12 additions and 14 deletions

View file

@ -20,7 +20,7 @@ prepare() {
git clone "$startdir" "$srcdir/$pkgname"
cd "$srcdir/$pkgname"
./configure
./configure --complain
}
build() {

View file

@ -44,6 +44,8 @@ This is fundamentally different from how AppArmor is used on Linux server as it
## Installation
> **Warning**: In order to not break your system, the default package configuration install all profiles in complain mode. They can be enforced later. See [Enforce Mode](#enfore_mode)
**Requirements**
* An `apparmor` based linux distribution.
* Base profiles and abstractions shipped with AppArmor are supposed to be
@ -62,7 +64,6 @@ sudo pacman -U apparmor.d-*.pkg.tar.zst \
--overwrite etc/apparmor.d/abstractions/trash
```
> **Warning**: for a first install, it is recommanded to install all profiles in complain mode. See [Complain mode](#troubleshooting)
**Debian / Ubuntu**
@ -74,8 +75,6 @@ dpkg-buildpackage -b -d --no-sign
sudo dpkg -i ../apparmor.d_*_all.deb
```
> **Warning**: for a first install, it is recommanded to install all profiles in complain mode. See [Complain mode](#troubleshooting)
**Partial install**
For test purpose, you can install a specific profile with the following commands. The tool will also install required abstractions and tunables:
@ -162,18 +161,17 @@ profile, create a file `/etc/apparmor.d/local/gnome-shell` and add your rules.
Then, reload the apparmor rules with `sudo systemctl restart apparmor`.
## Troubleshooting
## Enfore Mode
**Complain mode**
On first install and for test purposes, it is recommended to pass all profiles
in *complain* mode. To do this, edit `PKGBUILD` on Archlinux or `debian/rules`
on Debian and add the `--complain` option to the configure script. Then build
the package as usual:
```sh
./configure --complain
The default package configuration installs all profile in *complain* mode.
You can easily swicth to *enforce* mode. To do this, edit `PKGBUILD` on Archlinux or `debian/rules` on Debian and remove the `--complain` option to the configure script. Then build the package as usual:
```diff
- ./configure --complain
+ ./configure
```
## Troubleshooting
**AppArmor messages**
Ensure that `auditd` is installed and running on your system in order to read

2
debian/rules vendored
View file

@ -13,7 +13,7 @@
go build ./cmd/aa-log
override_dh_auto_configure:
./configure
./configure --complain
override_dh_install:
mv systemd system