[Pkg-samba-maint] [apparmor] Let's enable AppArmor by default (why not?)

[Marvin Renich]

[added d-dev back]

* intrigeri <intrigeri at debian.org> [180319 07:40]:
> Marvin Renich:
> > Actually, a short beginner's guide as a text file in
> > /usr/share/doc/apparmor, which has more than just "how to disable a
> > profile" would be extremely helpful.  I don't have the apparmor
> > knowledge to write it, though.
> 
> FYI the most useful bits were added to
> https://wiki.debian.org/AppArmor/HowToUse
> which is linked from /usr/share/doc/apparmor/README.Debian :)
> 
> It's only a start and there's lots of room for improvement,
> but it's a start.

Thanks for this pointer!  

Adding these two links [1], [2] on that page might be helpful.  I found
them by following links to [3].

As a side note, my laptop runs testing, and I allowed apparmor to be
enabled when that change hit testing.  The only issue I have noticed so
far is that smbd would not have access to some (intentionally public,
not in /home) shares if it were in enforce mode, rather than complain
mode.  If I were not aware of apparmor, and if smbd were in enforce
mode, I would have had a difficult time tracking this down.

Is there a way that an app (e.g. smbd) whose file access requirements
change dynamically through admin and user configuration can at least
inspect its own apparmor profile and give the user a clue that the admin
must update the profile?  For Samba, perhaps at least a comment in
/etc/samba/smb.conf at "Share Definitions" giving a reminder that if any
LSM is enabled, the LSM config may need to be updated to reflect changes
to shares.

(Samba maintainers added to CC; please remove them for replies not
pertaining to samba.)

...Marvin

[1] Creating and modifying AppArmor policy with the tools
    https://gitlab.com/apparmor/apparmor/wikis/Profiling_with_tools
[2] Creating and modifying AppArmor policy by hand
    https://gitlab.com/apparmor/apparmor/wikis/Profiling_by_hand
[3] https://gitlab.com/apparmor/apparmor/wikis/Documentation