On 2017-12-03 01:07, Alexander V. Makartsev wrote:
If I understood this correctly, aa-complain will only switch profile to "complain mode"(log, but don't block). This is
effectively the same as disabling the profile, which is not a good solution.
I believe "deny" rules still apply even on complain mode. If profile has "private-files" abstraction included, your
~/.bash* files will be still protected.
"aa-complain" is useful for debugging and writing my own profiles, but it won't be as useful when partially broken
profile is coming from package, because any user-modifications will be over-written after package updates.
User modifications can be place into "local" includes, for Thunderbird it's `/etc/apparmor.d/local/usr.bin.thunderbird`,
they will not be overwritten.
Do not forget to reload profile with `sudo apparmor_parser -r
/etc/apparmor.d/usr.bin.thunderbird` afterwards.
If you believe that these local modifications could be useful for other use cases, please report a bug with usertag
modify-profile or buggy-profile [0]
[0] https://wiki.debian.org/AppArmor/Reportbug#Usertags
