← Back to context

Comment by amluto

3 hours ago

I despise AppArmor and SELinux, especially in cases where they actively get in the way of security like this.

But you shouldn't need to make a global change. Do this:

    if [[ -f /proc/$$/attr/exec ]]; then
        # AppArmor is active.  Request "unconfined" for our next exec.
        echo 'exec unconfined' 2>/dev/null >/proc/$$/attr/exec
    fi
    exec ...

Or I think you can do this:

    $ setpriv --apparmor-profile=unconfined [command]

(You'd think I'd be more sure of the exact circumstances under which the latter works given that I literally wrote setpriv... At the very least, it will error out if apparmor is not running, which is mildly obnoxious.)

0 comments

amluto

Reply