Can you explain why you want a non-privileged user to be able to edit
policy? I would like to better understand the problem here.
I think it might depend on how strict the users starting point is;
you could say:
1 This document editor can read and write any part of the users home
directory other than the . files.
or you could say:
2 This document editor can read any files but only write to the
'Documents directory'.
If the adminisrator set something up with (2) as the starting point it
would seem reasonable for the user to be able to add the ability to edit
documents in extra directories for their style of organising documents
they work on; but they would be restricted in what they could add
so that they couldn't add the ability to write to their settings
files.
<snip>
You just glob that directory, so the rule would look like:AppArmor will let you do that; most of the work is in splitting theYes, and designing the app so that it's filenames are predictable;
application. If you can get e.g. Firefox to use a separate process that
it exec's for editing your preferences, then AppArmor can confine that
helper app with a different policy than Firefox itself, including
granting the helper write permission to the config directory.
firefox has a fun habit of using randomly named profile directories.
/home/*/.mozilla/default/*/prefs.js rw,
if you wanted it to be a generic policy for all users. If you want a
tighter policy for your workstation, then it might look like
/home/dagilbert/.mozilla/default/somemozillarandomstring/prefs.js rw,
hard-coding both your username and the random directory name that
Mozilla chose.
Allowing a user to tweak (under constraints) their settings might allow
them to do something like create two mozilla profiles which are isolated
from each other, so that the profile they use for general web surfing
is isolated from the one they use for online banking.