Page 10 of 19 FirstFirst ... 89101112 ... LastLast
Results 91 to 100 of 185

Thread: AppArmor Support Thread

  1. #91
    Join Date
    Sep 2009
    Beans
    28
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: AppArmor Support Thread

    I don't really understand how the options logprof is giving me relate to the permissions outlined in the sticky and other documentation. Actually, most of the documentation I've been through makes almost no reference to logprof at all. Here's an example:
    Code:
    Reading log entries from /var/log/messages.
    Updating AppArmor profiles in /etc/apparmor.d.
    
    Profile:  /usr/lib/firefox-3.0.16/firefox.sh
    Execute:  /usr/bin/basename
    Severity: unknown
    
    
    (I)nherit / (P)rofile / (C)hild / (N)ame / (U)nconfined / (X)ix / (D)eny / Abo(r)t / (F)inish
    Use of uninitialized value $profile in concatenation (.) or string at /usr/share/perl5/Immunix/SubDomain.pm line 4401.
    Complain-mode changes:
    
    Profile:  /usr/bin/basename
    Path:     /usr/bin/basename
    Mode:     r
    Severity: unknown
    
    
     [1 - /usr/bin/basename]
    
    [(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
    Adding /usr/bin/basename r to profile.
    
    Profile:  /usr/lib/firefox-3.0.16/firefox.sh
    Path:     /bin/dash
    Old Mode: ix
    New Mode: rix
    Severity: unknown
    
    
     [1 - /bin/dash]
    
    [(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
    Adding /bin/dash rix to profile.
    
    Profile:  /usr/lib/firefox-3.0.16/firefox.sh
    Path:     /dev/ati/card0
    Mode:     rw
    Severity: unknown
    
    
     [1 - /dev/ati/card0]
    
    [(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
    Adding /dev/ati/card0 rw to profile.
    
    Profile:  /usr/lib/firefox-3.0.16/firefox.sh
    Path:     /etc/mailcap
    Mode:     r
    Severity: unknown
    
    
     [1 - /etc/mailcap]
    
    [(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
    Adding /etc/mailcap r to profile.
    
    Profile:  /usr/lib/firefox-3.0.16/firefox.sh
    Path:     /etc/mime.types
    Mode:     r
    Severity: unknown
    
    
     [1 - /etc/mime.types]
    
    [(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
    Adding /etc/mime.types r to profile.
    
    Profile:  /usr/lib/firefox-3.0.16/firefox.sh
    Path:     /home/cypher/.Xauthority
    Mode:     owner r
    Severity: 4
    
      1 - /home/cypher/.Xauthority 
     [2 - /home/*/.Xauthority]
    
    [(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
    My Firefox profile is basically a stub, so i should be getting complaints on everything. I've noticed that most people give firefox rix access to basename. That's read and inherit, correct? So I hit I and it looks like that was the right option, but what do the others do? I'm really having trouble finding any documentation on the usage of logprof.

    Oh, and I'm still on 9.04

  2. #92
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: AppArmor Support Thread

    logprof is a command that will read the logs for you and give you suggestions on how to fix the problem or denials you are having.

    You will crawl into some of the darkes corners of your system learning to use apparmor and logprof.

    The problem with logprof is that, especially in the beginning, you do not have enough experience to know what it is telling you.

    Stay with it, it does get easier.

    Actually, firefox needs a profile in a big way, but it is NOT the best to start with. As you can see, firefox touches a ton of system and $HOME files

    For example, one starts with firefox, but it is not long before one wants to open documents with say OOO, or music, or flash, or open a pdf in evence, and on an on ...

    There is a profile available for firefox in 9.10 , you can start there.

    You may also wish to look at what others are doing. I already suggested Zenix earlier today, you can also look at some aa repositories or google search aa profiles =)

    http://bodhizazen.net/aa-profiles/
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  3. #93

    Re: AppArmor Support Thread

    may be i have found a bug of apparmor. i have in apparmor.d profiles for postfix's files, probably they are from apparmor-profiles package, may be from /usr/share/doc/apparmor-profiles/extra/ . and i have gone to install postfix. but it did not install without error messages. some apparmor logs appeared during install, i have fixed for them profiles and uninstall and reinstall postfix, then again fixed profiles and such one or several more times but after that even though there were not any log , it could not be installed without errors. only when i have set one and then also other profile to complain mode it has been installed without error messages. bug is that apparmor blocked up programs runned by post-install script and post install script returned error code but apparmor has not logged anything about that.

    2009-12-29 21:36 utc+3 : https://bugs.launchpad.net/apparmor/+bug/501401
    Last edited by q.dinar; December 29th, 2009 at 07:37 PM.

  4. #94
    Join Date
    Jan 2008
    Location
    USA
    Beans
    971
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: AppArmor Support Thread

    Quote Originally Posted by bodhi.zazen View Post
    You may also wish to look at what others are doing. I already suggested Zenix earlier today, you can also look at some aa repositories or google search aa profiles =)
    <thread hijack>

    I downloaded Zenix the other day and I didn't realize until I got it that you were behind it, bodhi. But I am running into one problem. I don't know the root password, and it prompts me for it when I try to install it! What is the root password? I searched the Zenix website and did not see it. I've tried everything: root, admin, zenix, buddha, zen, etc.

    </thread hijack>

  5. #95
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: AppArmor Support Thread

    Quote Originally Posted by rookcifer View Post
    <thread hijack>

    I downloaded Zenix the other day and I didn't realize until I got it that you were behind it, bodhi. But I am running into one problem. I don't know the root password, and it prompts me for it when I try to install it! What is the root password? I searched the Zenix website and did not see it. I've tried everything: root, admin, zenix, buddha, zen, etc.

    </thread hijack>
    The root account is locked. When asked to enter an admin password, it is blank, simply hit enter (sudo or graphical apps) =)
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  6. #96

    Re: AppArmor Support Thread

    may be i have found another bug of apparmor.
    currently /var/www/ is not allowed to apache.
    i have made new vhost with directory root like /var/www/newsite/ .
    but have not created that directory and have not fixed apache profile for that directory.
    if i open that vhost apache says "Not Found" but it should not know about that that directory does not exist. if i create that directory apache says "Forbidden"! ie indeed this is not apache bug/behavior when it cannot know whether there is directory. so apparmor says to apache: "forbidden" if directory is not allowed and says {something else} if this directory does not exist even if parent directory listing of it is not allowed.

    i will write about this 2 bugs in bug tracker ", if the god wants".

    21:42 utc+3 : https://bugs.launchpad.net/apparmor/+bug/501404 .
    Last edited by q.dinar; December 29th, 2009 at 07:42 PM.

  7. #97

    Re: AppArmor Support Thread

    another thing about apache: php scripts working through cgi do not work under hats of apache but under main apache profile or under php-cgi profile if it is allowed with Px in main apache profile. in my case: i have used mpm-worker apache with php-cgi and fcgid. if you want to block up php script in subdirectory from accessing files that are in parent directory of same domain, that is hard to make with suexec, but may be possible with apache and apparmor and mod_apparmor and mod_php, i have not tried it yet.

  8. #98
    Join Date
    Sep 2009
    Location
    Australia
    Beans
    24
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: AppArmor Support Thread

    can someone please tell me why firefox profile is disabled by default in 9.10 .I have enabeld it and it works fine.Also should i continue with apparnor or switch to selinux?

    thanks

  9. #99
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: AppArmor Support Thread

    Quote Originally Posted by windowless View Post
    can someone please tell me why firefox profile is disabled by default in 9.10 .I have enabeld it and it works fine.
    Because not everyone understands apparmor and not all profiles work for everyone, they are disabled by default.

    This is similar to iptables, by default it is permissive.

    Also should i continue with apparnor or switch to selinux?

    thanks
    It depends on what and how you are trying to restrict with SELinux or Apparmor. SElinux are tools, and each has advantages and disadvantages. For example, I don not believe there is any policy on Firefox in SElinux, have you ever tried to write a policy for firefox in SELinux ? Much easier to do in Apparmor.

    SELinux is used by the vast majority of people in the "targeted" mode and firefox is not currently "targeted".

    SELinux is not easy to install or configure on Ubuntu, and if you prefer SELinux I would steer you to Fedora. Although we are a large community, I think you will get better support for SELinux on the Fedora Forums =)
    Last edited by bodhi.zazen; January 3rd, 2010 at 08:00 AM.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  10. #100
    Join Date
    Aug 2007
    Beans
    35
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: AppArmor Support Thread

    What's the difference these?
    Code:
    deny /abc r,
    deny owner /abc r,
    I looked around and found this but I don't understand what it means.

    Does it mean the owner is exempt from the rule?
    Last edited by rileinc; February 1st, 2010 at 02:04 PM.

Page 10 of 19 FirstFirst ... 89101112 ... LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •