Page 13 of 19 FirstFirst ... 31112131415 ... LastLast
Results 121 to 130 of 185

Thread: AppArmor Support Thread

  1. #121
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: AppArmor Support Thread

    Quote Originally Posted by Jigen View Post
    Thank you for the help!

    Unfortunately there are still a couple of issues which are not clear to me:

    So even if I add the above reported abstractions file in my abstractions directory, the karmic's profile won't work?

    Does "manually update the 3.0.14 profile based on the karmic firefox 3.5.x" mean that I have to edit the file with gedit? In this case, I suppose I should just change the references for "ff-3.0.14" to "ff-3.5.*", am I right??
    Yes you will need to manually edit the firefox profile. You will need to know the proper location of the various libs which is as I tried to point out is dependent on how you installed firefox.

    I am not positive, but I do not think you can use * with jaunty, you will have to specify the version.

    Thus you will need to use firefox 3.5.x and NOT firefox 3.5.*
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  2. #122
    Join Date
    Sep 2006
    Location
    France.
    Beans
    Hidden!
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: AppArmor Support Thread

    | My old and mostly abandoned blog |
    Linux user #413984 ; Ubuntu user #178
    J'aime les fraises.
    Nighty night me lovelies!

    | Reinstalling Ubuntu ? Please check this bug first ! |
    | Using a ppa ? Please install ppa-purge from universe, you may need it should you want to revert packages back |
    | No support requests / username changes by PM, thanks. |

  3. #123
    Join Date
    Feb 2005
    Location
    ${HOME}
    Beans
    Hidden!

    Re: AppArmor Support Thread

    ohai
    Joel Goguen

  4. #124

    Re: AppArmor Support Thread

    hello
    i have "cache" directory in apparmor.d directory. is this normal? this is in ubuntu 9.10 . was it in previous versions? in my ubuntu 9.04 it was not, i think. this cache directory's content: http://qdb.tmf.org.ru/9.10_ubuntu_ap...fillaro/cache/ .

  5. #125

    suggest to reload profile immediately after edit to check syntax

    hello
    after reloading profile restarting apache is needed. after restart apache cache disappear and it work little slower. for that once installing new script and changing for that apparmor profile of apache, i thought let i do not restart apache today, will see whether it work tomorrow after restart. that tomorrow it worked. after several days i see that some files are created by apache though not allowed by apparmor. i have looked sudo aa-status and see no apache here! i have loaded it with sudo apparmor_parser /etc/apparmor.d/usr.lib.apache2.mpm-worker.apache2 and have seen that there is syntax error and it just did not load on system start these days. so reload edited(updated) profile immediately, even if you do not restart blocked program, to check syntax of profile. also may be there is syntax check command? ... seems not.
    and by the way, bug report: line number of syntax error is not shown correctly... i should write this to bug tracker...

  6. #126
    Join Date
    Apr 2010
    Location
    Wales, UK
    Beans
    92
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: AppArmor Support Thread

    Hi there,
    1st post on these forums so hope I don't sound too much of a noob.

    I've been running Ubuntu since February, so since Karmic and am now onto Lucid, and only just recently discovered AppArmor. I figured better safe than sorry.

    My question is, when running "aa-logprof" there's a "(C)hild" option. "Inherit" I think I get but what's the difference?

    Bigger question: Anyone worked out how to get Firefox 3.6.6 and AppArmor to play nice? Am pulling my hair out here

    I have what I think is a pretty permissive Firefox profile:

    Code:
    #include <tunables/global>
    
    /usr/lib/firefox-3.6.6/firefox.sh {
      #include <abstractions/audio>
      #include <abstractions/base>
      #include <abstractions/bash>
      #include <abstractions/consoles>
      #include <abstractions/evince>
      #include <abstractions/nameservice>
    
      deny capability sys_ptrace,
    
    
    
      /bin/basename rix,
      /bin/bash rix,
      /bin/dash rix,
      /bin/grep rix,
      /bin/ps rix,
      /bin/sed rix,
      /bin/uname cx,
      /bin/which rcx,
      /etc/firefox/** r,
      /etc/magic r,
      /etc/mailcap r,
      /etc/mime.types r,
      /etc/xul-ext/* r,
      owner /home/*/.adobe/**/ r,
      owner /home/*/.cache/* k,
      owner /home/*/.config/** rw,
      owner /home/*/.esd_auth r,
      owner /home/*/.gtk-bookmarks r,
      owner /home/*/.local/** r,
      owner /home/*/.macromedia/** rw,
      /home/*/.mozilla/firefox/** rwk,
      owner /home/*/.recently-used.xbel r,
      owner /home/*/Documents/** r,
      owner /home/*/Downloads/ r,
      owner /home/*/Downloads/* rw,
      /proc/ r,
      /proc/* r,
      /proc/*/cmdline r,
      /proc/*/stat r,
      /proc/*/status r,
      /proc/sys/kernel/pid_max r,
      /usr/bin/basename cx,
      /usr/bin/dirname cx,
      /usr/bin/expr rix,
      /usr/bin/file rix,
      /usr/bin/gedit rix,
      /usr/lib/firefox-3.6.6/firefox rix,
      /usr/lib/firefox-3.6.6/firefox-bin rix,
      /usr/lib/firefox-3.6.6/plugin-container rix,
      /usr/lib/firefox-3.6.6/run-mozilla.sh rix,
      /usr/lib/firefox/firefox px,
    
    
    profile /bin/uname {
    
        /etc/*.alias r,
        /etc/*.cache r,
        /lib/tls/i686/cmov/*.so mr,
        /usr/lib/gconv/*.cache r,
        /usr/lib/locale/** r,
    
      }
    
    profile /bin/which {
        #include <abstractions/kde>
    
    
        /bin/which r,
    
      }
    
    profile /usr/bin/basename {
        #include <abstractions/base>
    
    
        /etc/*.cache r,
    
      }
    
    profile /usr/bin/dirname {
        #include <abstractions/base>
    
    
    
      }
    }
    Last edited by CandidMan; July 17th, 2010 at 07:14 PM. Reason: Lack of information

  7. #127

    Re: AppArmor Support Thread

    hello.
    i have installed mod wsgi for apache and now i have 6 dac_override messages after apache start, no other messages. how can i discover, why apache needs it? it needs it for concrete files?

  8. #128
    Join Date
    Apr 2010
    Location
    Wales, UK
    Beans
    92
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: AppArmor Support Thread

    Quote Originally Posted by CandidMan View Post
    Hi there,
    1st post on these forums so hope I don't sound too much of a noob.

    I've been running Ubuntu since February, so since Karmic and am now onto Lucid, and only just recently discovered AppArmor. I figured better safe than sorry.

    My question is, when running "aa-logprof" there's a "(C)hild" option. "Inherit" I think I get but what's the difference?

    Bigger question: Anyone worked out how to get Firefox 3.6.6 and AppArmor to play nice? Am pulling my hair out here

    I have what I think is a pretty permissive Firefox profile:

    Code:
    #include <tunables/global>
    
    /usr/lib/firefox-3.6.6/firefox.sh {
      #include <abstractions/audio>
      #include <abstractions/base>
      #include <abstractions/bash>
      #include <abstractions/consoles>
      #include <abstractions/evince>
      #include <abstractions/nameservice>
    
      deny capability sys_ptrace,
    
    
    
      /bin/basename rix,
      /bin/bash rix,
      /bin/dash rix,
      /bin/grep rix,
      /bin/ps rix,
      /bin/sed rix,
      /bin/uname cx,
      /bin/which rcx,
      /etc/firefox/** r,
      /etc/magic r,
      /etc/mailcap r,
      /etc/mime.types r,
      /etc/xul-ext/* r,
      owner /home/*/.adobe/**/ r,
      owner /home/*/.cache/* k,
      owner /home/*/.config/** rw,
      owner /home/*/.esd_auth r,
      owner /home/*/.gtk-bookmarks r,
      owner /home/*/.local/** r,
      owner /home/*/.macromedia/** rw,
      /home/*/.mozilla/firefox/** rwk,
      owner /home/*/.recently-used.xbel r,
      owner /home/*/Documents/** r,
      owner /home/*/Downloads/ r,
      owner /home/*/Downloads/* rw,
      /proc/ r,
      /proc/* r,
      /proc/*/cmdline r,
      /proc/*/stat r,
      /proc/*/status r,
      /proc/sys/kernel/pid_max r,
      /usr/bin/basename cx,
      /usr/bin/dirname cx,
      /usr/bin/expr rix,
      /usr/bin/file rix,
      /usr/bin/gedit rix,
      /usr/lib/firefox-3.6.6/firefox rix,
      /usr/lib/firefox-3.6.6/firefox-bin rix,
      /usr/lib/firefox-3.6.6/plugin-container rix,
      /usr/lib/firefox-3.6.6/run-mozilla.sh rix,
      /usr/lib/firefox/firefox px,
    
    
    profile /bin/uname {
    
        /etc/*.alias r,
        /etc/*.cache r,
        /lib/tls/i686/cmov/*.so mr,
        /usr/lib/gconv/*.cache r,
        /usr/lib/locale/** r,
    
      }
    
    profile /bin/which {
        #include <abstractions/kde>
    
    
        /bin/which r,
    
      }
    
    profile /usr/bin/basename {
        #include <abstractions/base>
    
    
        /etc/*.cache r,
    
      }
    
    profile /usr/bin/dirname {
        #include <abstractions/base>
    
    
    
      }
    }
    Never mind. Recent Firefox update included a pretty comprehensive Apparmor profile

  9. #129

    Re: AppArmor Support Thread

    hello
    i many have errors in ...messages like:
    Code:
    Jul 25 20:45:35 dinar-desktop kernel: [56178.185437] type=1502 audit(1280076335.905:11290): operation="file_lock" pid=5505 parent=1 profile="/etc/cron.daily/logrotate//null-1e3" requested_mask="::k" denied_mask="::k" fsuid=123 ouid=0 name="/var/run/proftpd/proftpd.scoreboard"
    i have made rule for them in ...etc.cron.daily.logrotate and reloaded it but i do not know how to restart logrotate. good that it is in complain mode and i will restart OS at night, but i would restart logrotate if know how. i googled it and found almost only this: http://www.linuxquestions.org/questi...rotate-505343/ where is said that it is impossible to restart it.

    add after several minutes:
    it has stopped to log after restart of proftpd.
    Last edited by q.dinar; July 25th, 2010 at 05:58 PM.

  10. #130
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: AppArmor Support Thread

    Null profiles , like the one you posted,

    profile="/etc/cron.daily/logrotate//null-1e3"
    Are generated from and earlier denial. You need to identify and fix the earlier denial (null profiles are in general meaningless).
    Last edited by bodhi.zazen; July 25th, 2010 at 10:00 PM.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

Page 13 of 19 FirstFirst ... 31112131415 ... LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •