{{tag>Brouillon Sécurité}}

= Notes AppArmor

Voir : 
* https://docs.docker.com/engine/security/apparmor/

The nscd Apparmor profile is not prepared for that and needs some additional
capabilities added.

Necessary changes are:
<code - /etc/nscd.conf>
        server-user             nobody
</code>



<code - /etc/apparmor.d/usr.sbin.nscd>
          capability setgid,
          capability setuid,
</code>

After adding these lines, restart Apparmor and subsequently nscd

source : https://www.suse.com/fr-fr/support/kb/doc/?id=000017971

== K3S rootless

<code bash>
cat <<EOF | sudo tee "/etc/apparmor.d/usr.local.bin.k3s"
abi <abi/4.0>,
include <tunables/global>

/usr/local/bin/k3s flags=(unconfined) {
  userns,

  include if exists <local/usr.local.bin.k3s>
}
EOF

sudo systemctl restart apparmor.service
</code>

Source : https://docs.k3s.io/advanced