Page 12 of 19 FirstFirst ... 21011121314 ... LastLast
Results 111 to 120 of 185

Thread: AppArmor Support Thread

  1. #111

    Re: AppArmor Support Thread

    i have disallowed network stream and dgram for virtualbox. now i have tried to access to host ubuntu's apache server. for that i searched in internet and from that know out that should access 10.0.2.2 but it does not work, at that time there is reaction in syslog, reports that needs stream and dgram permission. i used that 10.0.... ip but do not remember what exactly.
    as i know accessing to localhost should not require network access. so why it looks like virtualbox requires it?
    i think i will not explore this thing >15:13utc+4:without allowing network in vbox<, i am going to try to enable access to network.
    virtualbox required network and dgram network permission also when it just works, without accessing 10.0.... form browser. i also have now tried to disable network, with that setting it only have written one line in log or none. i think even without NAT or any other network setting it may be possible to access to 10.0.... to host computer. there are other options except NAT, if i select them vbox says incorrect setting, only internal networking does not cause it to say so , but it is for connecting several guest OSes.
    Last edited by q.dinar; April 1st, 2010 at 12:13 PM.

  2. #112
    Join Date
    Apr 2010
    Location
    Europe
    Beans
    19
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: AppArmor Support Thread

    Hi there, I hope this is the right thread for my question.

    I have tried to create a new apparmor profile for firefox 3.5 running on jaunty, however I did not succeed so I tried to grab the profile included in karmic, copy it into jaunty's apparmor.d directory and load it
    Code:
    sudo aa-enforce /etc/apparmor.d/usr.bin.firefox-3.5
    it complained about the unavailability of some abstractions (private-files, ubuntu-mail...), I looked for them in my abstractions directory and did not find them (probably they do not exist in jaunty, even though I have installed the additional apparmor profiles from ubuntu's repos), so I deleted just the 4 lines the terminal complained of (they were all like #include abstraction ...).

    it tried to load the profile again but replied with the following error

    Code:
    AppArmor parser error in /etc/apparmor.d/usr.bin.firefox-3.5 at line 915: syntax error, unexpected TOK_ID, expecting TOK_MODE
     Profile /etc/apparmor.d/usr.bin.firefox-3.5 failed to load
    but I am absolutely sure I only deleted those four lines with #include abstraction...

    in particular they are line 85, 181, 182 and 186 in karmic default firefox-3.5 profile.

    How can I solve the problem?

  3. #113
    Join Date
    Jan 2008
    Location
    USA
    Beans
    971
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: AppArmor Support Thread

    Those abstraction files should be there. They were when I was using Jaunty.

    Why don't you tell us exactly which 4 abstraction files are missing and then I (or someone) here can post them so you can add them manually. That will be better than deleting lines from the firefox-profile itself.

  4. #114
    Join Date
    Feb 2010
    Location
    White Plume Mountain
    Beans
    8,233
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: AppArmor Support Thread

    have you ran
    Code:
    sudo apt-get install apparmor-profiles
    Thank you for your contributions. "So long and thanks for the fish!"

  5. #115
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: AppArmor Support Thread

    IMO firefox is not the best aa profile to start with and there are syntax variations between version of ff.

    You can try this repository and go from there ...

    http://bodhizazen.net/aa-profiles/bodhizazen/
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  6. #116
    Join Date
    Feb 2010
    Location
    White Plume Mountain
    Beans
    8,233
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: AppArmor Support Thread

    Quote Originally Posted by bodhi.zazen View Post
    IMO firefox is not the best aa profile to start with and there are syntax variations between version of ff.

    You can try this repository and go from there ...

    http://bodhizazen.net/aa-profiles/bodhizazen/
    You've been on a roll with getting Lucid in there, thanx.

    Cheers,
    Ronnie
    Thank you for your contributions. "So long and thanks for the fish!"

  7. #117
    Join Date
    Apr 2010
    Location
    Europe
    Beans
    19
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: AppArmor Support Thread

    Quote Originally Posted by bodhi.zazen View Post
    IMO firefox is not the best aa profile to start with and there are syntax variations between version of ff.

    You can try this repository and go from there ...

    http://bodhizazen.net/aa-profiles/bodhizazen/
    I have tried with the ff-3.5 profile for karmic (even though I run jaunty, but I cannot find a ff 3.5 profile for jaunty in the repository), but it does not work, giving the same problems as above mentioned

    @uRock
    of course I have installed apparmor-profiles, but there is no trace of a ff 3.* profile or the abstractions I was asked for

    @rookcifer
    unfortunately they are not there the abstractions apparmor looked for should be:

    Code:
    Setting /etc/apparmor.d/usr.bin.firefox-3.5 to enforce mode.
    Error:  #include <abstractions/private-files> not found at line 85 in  stdin.
    Error: #include <abstractions/ubuntu-email> not found at  line 181 in stdin.
    Error: #include  <abstractions/ubuntu-console-email> not found at line 182 in  stdin.
    Error: #include <abstractions/ubuntu-gnome-terminal> not  found at line 186 in stdin.
    when I deleted them (furthermore, bodhi.zazen's profile did not include the last three so I thought I could do it without specific drawbacks) I got

    Code:
    AppArmor parser error in /etc/apparmor.d/usr.bin.firefox-3.5~ at  line 916: syntax error, unexpected TOK_ID, expecting TOK_MODE
     *  Failure: /etc/apparmor.d/usr.bin.firefox-3.5~ failed to load

  8. #118
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: AppArmor Support Thread

    Due to syntax changes in apparmor you can not use the karmic profile.

    You can start with

    http://bodhizazen.net/aa-profiles/bo....14.firefox.sh

    and the karmic profile and manually update the 3.0.14 profile based on the karmic firefox 3.5.x

    Hint: Change the references for firefox 3.0.x to firefox 3.5.x

    But the exact path will depend on how you installed firefox 3.5.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  9. #119
    Join Date
    Jan 2008
    Location
    USA
    Beans
    971
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: AppArmor Support Thread

    Jigen:

    Here are the abstraction files as they appear on my machine.

    First up is "private-files":

    Code:
    # vim:syntax=apparmor
    # privacy-violations contains rules for common files that you want to explicity
    # deny access
    
      # privacy violations (don't audit files under $HOME otherwise get a
      # lot of false positives when reading contents of directories)
      deny @{HOME}/.*history mrwkl,
      deny @{HOME}/.fetchmail* mrwkl,
      deny @{HOME}/.viminfo* mrwkl,
      deny @{HOME}/.*~ mrwkl,
      deny @{HOME}/.*.swp mrwkl,
      deny @{HOME}/.*~1~ mrwkl,
      deny @{HOME}/.*.bak mrwkl,
    
      # special attention to (potentially) executable files
      audit deny @{HOME}/bin/** wl,
    
      deny @{HOME}/.bash* mrk,
      audit deny @{HOME}/.bash* wl,
    
      deny @{HOME}/.profile* mrk,
      audit deny @{HOME}/.profile* wl,
    
      deny @{HOME}/.*rc mrk,
      audit deny @{HOME}/.*rc wl,
    ubuntu-email:

    Code:
    #
    # abstraction for allowing graphical email clients in Ubuntu
    #
    
      /usr/bin/anjal Ux,
      /usr/bin/balsa Ux,
      /usr/bin/claws-mail Ux,
      /usr/bin/evolution Ux,
      /usr/lib/GNUstep/Applications/GNUMail.app/GNUMail Ux,
      /usr/bin/kmail Ux,
      /usr/bin/mailody Ux,
      /usr/bin/modest Ux,
      /usr/bin/seamonkey Ux,
      /usr/bin/sylpheed Ux,
      /usr/bin/tkrat Ux,
    
      /usr/lib/thunderbird/thunderbird Ux,
    ubuntu-console-email

    Code:
    #
    # abstraction for allowing console email clients in Ubuntu. These will
    # typically also need a terminal, so when using this abstraction, should also
    # do something like:
    #
    # #include <abstractions/ubuntu-gnome-terminal>
    #
    
      /usr/bin/alpine Ux,
      /usr/bin/citadel Ux,
      /usr/bin/cone Ux,
      /usr/bin/elmo Ux,
      /usr/bin/mutt Ux,

    ubuntu-gnome-terminal

    Code:
    #
    # for allowing access to gnome-terminal
    #
    
      #include <abstractions/gnome>
    
      # do not use ux or Ux here. Use at a minimum ix
      /usr/bin/gnome-terminal ix,
    Add these to abstractions then put the FF profile back to how it was at default, and you should be set.

  10. #120
    Join Date
    Apr 2010
    Location
    Europe
    Beans
    19
    Distro
    Ubuntu 10.04 Lucid Lynx

    Question Re: AppArmor Support Thread

    Thank you for the help!

    Unfortunately there are still a couple of issues which are not clear to me:

    So even if I add the above reported abstractions file in my abstractions directory, the karmic's profile won't work?

    Does "manually update the 3.0.14 profile based on the karmic firefox 3.5.x" mean that I have to edit the file with gedit? In this case, I suppose I should just change the references for "ff-3.0.14" to "ff-3.5.*", am I right??

Page 12 of 19 FirstFirst ... 21011121314 ... LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •