There are, of course, limits to what systems like AppArmor can realistically do. They generally try to profile what an application should and should not be allowed to do "in Everyman's hands," knowing that there inevitably will be a small additional number of Gods (who also are a personally identifiable
set of individuals/accounts). The goal is simply "like fraud-prevention" ... looking for attempts whch appear to land outside of the established status-quo and preventing them from automatically going through.
When you are "training" such systems, generally you should do two things:
- Be sure that each thing which the AppArmor tool is "watching" will settle-upon a single, well-established profile. For example, if a particular tool is available both to the general public and to internal users, perhaps it will be necessary for each instance (although "they are, in fact, identical") to be perceived by the training-system as being unique, so that profiles appropriate to each user-base will be gathered.
- Avoid letting "godly" behavior be seen by the training system while it is training. Keep your 'Golden Ticket' in your pocket.