cannot override a generic deny rule with a more specific allow rule
Bug #451422 reported by
Jamie Strandboge
This bug affects 3 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| AppArmor |
New
|
Wishlist
|
Unassigned | ||
| apparmor (Ubuntu) |
Won't Fix
|
Wishlist
|
John Johansen | ||
Bug Description
If I include abstractions/
audit deny @{HOME}/.mozilla/** mrwkl,
I would expect to be able to add the following and have the cache files allowed, but it doesn't work:
owner @{HOME}
Related branches
| Changed in linux (Ubuntu): | |
| assignee: | nobody → John Johansen (jjohansen) |
Revision history for this message
| John Johansen (jjohansen) wrote | #1 |
| affects: | linux (Ubuntu) → apparmor (Ubuntu) |
| Changed in apparmor (Ubuntu): | |
| assignee: | John Johansen (jjohansen) → nobody |
| status: | New → Triaged |
| assignee: | nobody → John Johansen (jjohansen) |
| summary: |
- most specific AppArmor rule doesn't always match + cannot override a generic deny rule with a more specific allow rule |
| Changed in apparmor (Ubuntu): | |
| importance: | Undecided → Wishlist |
Revision history for this message
| Jamie Strandboge (jdstrand) wrote | #2 |
| Changed in apparmor (Ubuntu): | |
| status: | Triaged → Won't Fix |
Revision history for this message
| Christian Boltz (cboltz) wrote | #3 |
| Changed in apparmor: | |
| importance: | Undecided → Wishlist |
| tags: | added: aa-feature |
To post a comment you must log in.
At this time, this is not possible, priority ordering by hierarchy (ie local rules taking precedence over include rules) is not currently implemented and deny rules take precedence over allow rules.