[apparmor] [ISSUE]Why my python script can't override the DAC please?

Fei Shao robinshao007 at 163.com
Wed Jan 14 09:19:40 UTC 2026 

Hi all,


I write a py script to test the dac_override option, but I failed.
The py script is :
----------------------------------------------------
#!/usr/bin/env python3
import os  # 用于文件/目录的基础操作(删除、判断文件是否存在)
import time

def create_file(file_path, content="默认初始内容\n"):
     try:
         if os.path.exists(file_path):
             print(f"⚠️ 文件 {file_path} 已存在,跳过新建操作")
             return False

         with open(file_path, "w", encoding="utf-8") as f:
             f.write(content)
         print(f"successfully :{file_path}")
         return True
     except Exception as e:
         print(f" failed : {e}")
         return False


if __name__ == "__main__":
     test_file = 
"/home/sf/apparmor/test/test_file"+str(int(time.time())) +".txt"
     create_file(test_file, "content of file \n")
----------------------------------------------------


the profile is :
--------------------------------------------------------
abi <abi/4.0>,

include <tunables/global>

profile /home/sf/apparmor/operfile.py {
   include <abstractions/base>
   include <abstractions/evince>
   include <abstractions/python>

   capability dac_override,
   capability dac_read_search,

   /etc/apt/apt.conf.d/ r,
   /etc/apt/apt.conf.d/** r,

   /home/sf/apparmor/operfile.py r,
   /home/sf/apparmor/test/ rwix,
   /home/sf/apparmor/test/** rw,

   /proc/self/mem r, # 进程内存访问(Python 运行必需)
   /sys/devices/** r, # 系统设备信息(可选,视脚本需求)
   /tmp/** rw, # 临时文件目录(Python 常用)
   /usr/bin/python3.12 mrix,
   /var/tmp/** rw, # 系统临时目录
   owner /home/*/apparmor/ r,
   /usr/lib/python3*/** r,        # Python 库文件读取

}

---------------------------------------------------------------

I use the command "sudo aa-enforce home.sf.apparmor.operfile.py" to make 
sure the profile is loaded.

When the attribute of "/home/sf/apparmor/test/" is 755, the script 
worked well with command "./operfile.py".

When the attribute of "/home/sf/apparmor/test/" is 555,   command 
"./operfile.py" returned "failed : [Errno 13] Permission denied: 
'/home/sf/apparmor/test/test_file1768381998.txt'". If I use the "sudo 
./operfile.py", the file could be created well.  It seems the 
dac_overried doesn't work here.

I checked with "sudo aa-logprof", but no information is returned.
Would you like tell me why the py script can't create file when test 
folder is 555 please?

My os is ubuntu 2404 and my apparmor is 4.0.1.

Thanks

Fei Shao

More information about the AppArmor mailing list