AppArmor Support Thread

[Cypher1101]

I don't really understand how the options logprof is giving me relate to the permissions outlined in the sticky and other documentation. Actually, most of the documentation I've been through makes almost no reference to logprof at all. Here's an example:

Code:

Reading log entries from /var/log/messages.
Updating AppArmor profiles in /etc/apparmor.d.

Profile:  /usr/lib/firefox-3.0.16/firefox.sh
Execute:  /usr/bin/basename
Severity: unknown


(I)nherit / (P)rofile / (C)hild / (N)ame / (U)nconfined / (X)ix / (D)eny / Abo(r)t / (F)inish
Use of uninitialized value $profile in concatenation (.) or string at /usr/share/perl5/Immunix/SubDomain.pm line 4401.
Complain-mode changes:

Profile:  /usr/bin/basename
Path:     /usr/bin/basename
Mode:     r
Severity: unknown


 [1 - /usr/bin/basename]

[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
Adding /usr/bin/basename r to profile.

Profile:  /usr/lib/firefox-3.0.16/firefox.sh
Path:     /bin/dash
Old Mode: ix
New Mode: rix
Severity: unknown


 [1 - /bin/dash]

[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
Adding /bin/dash rix to profile.

Profile:  /usr/lib/firefox-3.0.16/firefox.sh
Path:     /dev/ati/card0
Mode:     rw
Severity: unknown


 [1 - /dev/ati/card0]

[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
Adding /dev/ati/card0 rw to profile.

Profile:  /usr/lib/firefox-3.0.16/firefox.sh
Path:     /etc/mailcap
Mode:     r
Severity: unknown


 [1 - /etc/mailcap]

[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
Adding /etc/mailcap r to profile.

Profile:  /usr/lib/firefox-3.0.16/firefox.sh
Path:     /etc/mime.types
Mode:     r
Severity: unknown


 [1 - /etc/mime.types]

[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
Adding /etc/mime.types r to profile.

Profile:  /usr/lib/firefox-3.0.16/firefox.sh
Path:     /home/cypher/.Xauthority
Mode:     owner r
Severity: 4

  1 - /home/cypher/.Xauthority 
 [2 - /home/*/.Xauthority]

[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts

My Firefox profile is basically a stub, so i should be getting complaints on everything. I've noticed that most people give firefox rix access to basename. That's read and inherit, correct? So I hit I and it looks like that was the right option, but what do the others do? I'm really having trouble finding any documentation on the usage of logprof.

Oh, and I'm still on 9.04

[bodhi.zazen]

logprof is a command that will read the logs for you and give you suggestions on how to fix the problem or denials you are having.

You will crawl into some of the darkes corners of your system learning to use apparmor and logprof.

The problem with logprof is that, especially in the beginning, you do not have enough experience to know what it is telling you.

Stay with it, it does get easier.

Actually, firefox needs a profile in a big way, but it is NOT the best to start with. As you can see, firefox touches a ton of system and $HOME files

For example, one starts with firefox, but it is not long before one wants to open documents with say OOO, or music, or flash, or open a pdf in evence, and on an on ...

There is a profile available for firefox in 9.10 , you can start there.

You may also wish to look at what others are doing. I already suggested Zenix earlier today, you can also look at some aa repositories or google search aa profiles =)

http://bodhizazen.net/aa-profiles/

[q.dinar]

may be i have found a bug of apparmor. i have in apparmor.d profiles for postfix's files, probably they are from apparmor-profiles package, may be from /usr/share/doc/apparmor-profiles/extra/ . and i have gone to install postfix. but it did not install without error messages. some apparmor logs appeared during install, i have fixed for them profiles and uninstall and reinstall postfix, then again fixed profiles and such one or several more times but after that even though there were not any log , it could not be installed without errors. only when i have set one and then also other profile to complain mode it has been installed without error messages. bug is that apparmor blocked up programs runned by post-install script and post install script returned error code but apparmor has not logged anything about that.

2009-12-29 21:36 utc+3 : https://bugs.launchpad.net/apparmor/+bug/501401

[rookcifer]

You may also wish to look at what others are doing. I already suggested Zenix earlier today, you can also look at some aa repositories or google search aa profiles =)

<thread hijack>

I downloaded Zenix the other day and I didn't realize until I got it that you were behind it, bodhi. But I am running into one problem. I don't know the root password, and it prompts me for it when I try to install it! What is the root password? I searched the Zenix website and did not see it. I've tried everything: root, admin, zenix, buddha, zen, etc.

</thread hijack>

[bodhi.zazen]

<thread hijack>

I downloaded Zenix the other day and I didn't realize until I got it that you were behind it, bodhi. But I am running into one problem. I don't know the root password, and it prompts me for it when I try to install it! What is the root password? I searched the Zenix website and did not see it. I've tried everything: root, admin, zenix, buddha, zen, etc.

</thread hijack>

The root account is locked. When asked to enter an admin password, it is blank, simply hit enter (sudo or graphical apps) =)

[q.dinar]

may be i have found another bug of apparmor.
currently /var/www/ is not allowed to apache.
i have made new vhost with directory root like /var/www/newsite/ .
but have not created that directory and have not fixed apache profile for that directory.
if i open that vhost apache says "Not Found" but it should not know about that that directory does not exist. if i create that directory apache says "Forbidden"! ie indeed this is not apache bug/behavior when it cannot know whether there is directory. so apparmor says to apache: "forbidden" if directory is not allowed and says {something else} if this directory does not exist even if parent directory listing of it is not allowed.

i will write about this 2 bugs in bug tracker ", if the god wants".

21:42 utc+3 : https://bugs.launchpad.net/apparmor/+bug/501404 .

[q.dinar]

another thing about apache: php scripts working through cgi do not work under hats of apache but under main apache profile or under php-cgi profile if it is allowed with Px in main apache profile. in my case: i have used mpm-worker apache with php-cgi and fcgid. if you want to block up php script in subdirectory from accessing files that are in parent directory of same domain, that is hard to make with suexec, but may be possible with apache and apparmor and mod_apparmor and mod_php, i have not tried it yet.

[windowless]

can someone please tell me why firefox profile is disabled by default in 9.10 .I have enabeld it and it works fine.Also should i continue with apparnor or switch to selinux?

thanks

[bodhi.zazen]

can someone please tell me why firefox profile is disabled by default in 9.10 .I have enabeld it and it works fine.

Because not everyone understands apparmor and not all profiles work for everyone, they are disabled by default.

This is similar to iptables, by default it is permissive.

Also should i continue with apparnor or switch to selinux?

thanks

It depends on what and how you are trying to restrict with SELinux or Apparmor. SElinux are tools, and each has advantages and disadvantages. For example, I don not believe there is any policy on Firefox in SElinux, have you ever tried to write a policy for firefox in SELinux ? Much easier to do in Apparmor.

SELinux is used by the vast majority of people in the "targeted" mode and firefox is not currently "targeted".

SELinux is not easy to install or configure on Ubuntu, and if you prefer SELinux I would steer you to Fedora. Although we are a large community, I think you will get better support for SELinux on the Fedora Forums =)

[rileinc]

What's the difference these?

Code:

deny /abc r,
deny owner /abc r,

I looked around and found this but I don't understand what it means.

Does it mean the owner is exempt from the rule?