aboutsummaryrefslogtreecommitdiff
path: root/straper/db/public/apparmor/apparmor.d/local/README
diff options
context:
space:
mode:
authorLukasz Kasprzak <lukasz.kasprzak@pm.me>2026-03-20 19:16:32 +0100
committerLukasz Kasprzak <lukasz.kasprzak@pm.me>2026-03-20 19:16:32 +0100
commit39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2 (patch)
tree9221704f413398cfb5d5759083b1e7032566820e /straper/db/public/apparmor/apparmor.d/local/README
parent6b59b75c3a294060dea66bdee16ffaf95ae92889 (diff)
downloadbin-39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2.tar.gz
bin-39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2.zip
feat: first fully successful run e2e on straper
Diffstat (limited to 'straper/db/public/apparmor/apparmor.d/local/README')
-rw-r--r--straper/db/public/apparmor/apparmor.d/local/README27
1 files changed, 27 insertions, 0 deletions
diff --git a/straper/db/public/apparmor/apparmor.d/local/README b/straper/db/public/apparmor/apparmor.d/local/README
new file mode 100644
index 0000000..688ed42
--- /dev/null
+++ b/straper/db/public/apparmor/apparmor.d/local/README
@@ -0,0 +1,27 @@
+# This directory is intended to contain profile additions and overrides for
+# inclusion by distributed profiles to aid in packaging AppArmor for
+# distributions.
+#
+# The shipped profiles in /etc/apparmor.d can still be modified by an
+# administrator and people should modify the shipped profile when making
+# large policy changes, rather than trying to make those adjustments here.
+#
+# For simple access additions or the occasional deny override, adjusting them
+# here can prevent the package manager of the distribution from interfering
+# with local modifications. As always, new policy should be reviewed to ensure
+# it is appropriate for your site.
+#
+# For example, if the shipped /etc/apparmor.d/usr.sbin.smbd profile has:
+# include <local/usr.sbin.smbd>
+# or
+# include if exists <local/usr.sbin.smbd>
+#
+# then an administrator can adjust /etc/apparmor.d/local/usr.sbin.smbd
+# (create the file if it doesn't exist yet) to contain any additional paths
+# to be allowed, such as:
+#
+# /var/exports/** lrwk,
+#
+# Keep in mind that 'deny' rules are evaluated after allow rules, so you won't
+# be able to allow access to files that are explicitly denied by the shipped
+# profile using this mechanism.