mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-02-10 04:05:31 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Add the troubleshooting section.

Browse source
This commit is contained in:
Alexandre Pujol 2022-02-08 21:13:31 +00:00
parent 6294159d7a
commit 2f77653cba
Failed to generate hash of commit
1 changed files with 48 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

49
README.md
View file

@ -58,6 +58,8 @@ sudo pacman -U apparmor.d-*.pkg.tar.zst \
--overwrite etc/apparmor.d/tunables/xdg-user-dirs --overwrite etc/apparmor.d/tunables/xdg-user-dirs
``` ```
> Note: for a first install, it is recommanded to install all profiles in complain mode. See [Complain mode](#troubleshooting)
**Debian** **Debian**
Build using standard Debian package build tools: Build using standard Debian package build tools:
@ -66,6 +68,8 @@ dpkg-buildpackage -b -d --no-sign
sudo dpkg --install ../apparmor.d_*_all.deb sudo dpkg --install ../apparmor.d_*_all.deb
``` ```
> Note: for a first install, it is recommanded to install all profiles in complain mode. See [Complain mode](#troubleshooting)
**Partial install** **Partial install**
For test purpose, you can install a specific profile with the following commands. The tool will also install required abstractions and tunables: For test purpose, you can install a specific profile with the following commands. The tool will also install required abstractions and tunables:
@ -105,7 +109,7 @@ You can also list the current processes alongside with their security profile wi
**AppArmor Log** **AppArmor Log**
The provided command `aa-log` allow you review AppArmor generated messages in a The provided command `aa-log` allow you review AppArmor generated messages in a
colorfull way: colorful way:
``` ```
$ aa-log $ aa-log
@ -151,6 +155,49 @@ You can extend a profile with your own rules by creating a file in the
profile, create a file `/etc/apparmor.d/local/gnome-shell` and add your rules. profile, create a file `/etc/apparmor.d/local/gnome-shell` and add your rules.
Then, reload the apparmor rules with `sudo systemctl restart apparmor`. Then, reload the apparmor rules with `sudo systemctl restart apparmor`.
## Troubleshooting
**Complain mode**
On first install and for test purposes, it is recommended to pass all profiles
in *complain* mode. To do this, edit `PKGBUILD` on Archlinux or `debian/rules`
on Debian and add the `--complain` option to the configure script. Then build
the package as usual:
```sh
./configure --complain
```
**AppArmor messages**
Ensure that `auditd` is installed and running on your system in order to read
AppArmor log from `/var/log/audit/audit.log`. Then you can see the log with `aa-log`
**System Recovery**
Issue in some core profiles like the systemd tools, or the desktop environment
can fully break your system. This should not happen a lot, but if it does here
is the procces to recover your system on Archlinux:
1. Boot from a Archlinux live USB
1. If you root partition is encryped, decrypt it: `cryptsetup open /dev/<your-disk-id> vg0`
1. Mount your root partition: `mount /dev/<your-plain-disk-id> /mnt`
1. Chroot into your system: `arch-chroot /mnt`
1. Check the AppArmor messages to see what profile is faulty: `aa-log`
1. Temporarily fix the issue with either:
- When only one profile is faultly, remove it: `rm /etc/apparmor.d/<profile-name>`
- Otherwise, you can also remove the package: `pacman -R apparmor.d`
- Alternativelly, you may temporarily disable apparmor as it will allow you to
boot and studdy the log: `systemctl disable apparmor`
1. Exit, umount, and reboot:
```sh
exit
umount -R /mnt
reboot
```
1. Create an issue and report the output of `aa-log`
## Tests ## Tests
A full test suite to ensure compatibility across distributions and softwares is still a work in progress. A full test suite to ensure compatibility across distributions and softwares is still a work in progress.