[Apparmor-general] AppArmor definition of a home directory too
rigid
John Johansen
jjohansen at suse.de
Thu Aug 2 10:27:39 MDT 2007
On Thu, Aug 02, 2007 at 09:59:21AM -0300, Andreas Hasenack wrote:
> On Wed, Aug 01, 2007 at 11:09:17PM -0700, John Johansen wrote:
> > profiles should now be using @{HOME} and if they don't it is a bug.
> >
> > the @{HOME} variable can be modified be editing
> > /etc/apparmor.d/tunables/home
>
> What about having this variable redefined on-the-fly for each user's
> real home directory? Some may be in /home, others in /var/lib (system
> users), others in /home/group/whatever, etc. Just a quick thought.
>
It is a nice idea, but currently is infeasable. However AppArmors
variables can contain a list of different values and will work for this
situation, though the profile may not be as tight as you want.
to do this assign @{HOME} to contain each of the values
@{HOME}=/home/ /var/lib/ /home/group/whatever/
when the variable gets expanded it will be the same as writting 3 rules
eg.
@{HOME}/.ssh r,
is equivalent to
/home/.ssh r,
/var/lib/.ssh r,
/home/group/whatever/.ssh r,
regards
john
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-general/attachments/20070802/1c5571dd/attachment.pgp
More information about the Apparmor-general
mailing list