Page 15 of 19 FirstFirst ... 51314151617 ... LastLast
Results 141 to 150 of 185

Thread: AppArmor Support Thread

  1. #141
    Join Date
    Jan 2008
    Location
    A place with no mountains
    Beans
    1,608
    Distro
    Kubuntu

    Re: AppArmor Support Thread

    Quote Originally Posted by bodhi.zazen View Post
    Well, if your time is limited, I would first ask, why fix the problem then ? Are these denials preventing you from using firefox ?

    Second, each denial is likely an edit to the firefox profile. You will need to post the exact denials, uneditied, or learn how to configure apparmor yourself. In other words, I can not tell you how to fix the problem as you edited the denials and did not post the raw data.
    Yes, the main problem that I'm encountering is that I cannot save my downloads to the locations I wish to use.

    Under the commented section "# Default profile allows downloads to ~/Downloads and uploads from ~/Public" can I just list the directories I wish to be able to use?

    For example, I see this entry:
    Code:
    owner @{HOME}/{Desktop,Downloads}/** rw,
    Can I simply add below that one the following new line?
    Code:
    /shared_location/downloads/** rw,
    Is "owner" necessary? Why does it use two asterisks as wildcards?

    I will be happy to post all the DENIED messages that I'd like to address, but if we can solve my download locations issue, that would be a great start and I would really appreciate it!

    EDIT: thanks for this great thread! And for you aa-profiles repo!!!
    Desktop: KX Studio (Kubuntu 12.04)
    Laptop & Netbook: Kubuntu 12.04
    Tablet: Samsung Galaxy Tab 10.1
    Phone: Nexus 4 Cyanogenmod

  2. #142
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: AppArmor Support Thread

    That line

    Code:
    /shared_location/downloads/** rw,
    should allow you to download to the location in question, yes.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  3. #143
    Join Date
    Jan 2008
    Location
    A place with no mountains
    Beans
    1,608
    Distro
    Kubuntu

    Re: AppArmor Support Thread

    Quote Originally Posted by bodhi.zazen View Post
    That line

    Code:
    /shared_location/downloads/** rw,
    should allow you to download to the location in question, yes.
    Thank you. And what about my two questions:
    What does "owner" do? Is that just a parameter for @{HOME} to get the path?
    Why does it use two asterisks as wildcards? What would one asterisk do?
    Desktop: KX Studio (Kubuntu 12.04)
    Laptop & Netbook: Kubuntu 12.04
    Tablet: Samsung Galaxy Tab 10.1
    Phone: Nexus 4 Cyanogenmod

  4. #144
    Join Date
    Jan 2008
    Location
    A place with no mountains
    Beans
    1,608
    Distro
    Kubuntu

    Re: AppArmor Support Thread

    Quote Originally Posted by bodhi.zazen View Post
    That line

    Code:
    /shared_location/downloads/** rw,
    should allow you to download to the location in question, yes.
    I changed that and restarted firefox and I still can't save to that location. Do I have to restart the OS?

    Log entry:
    [30144.764313] type=1400 audit(1287094667.522:60): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/lib/firefox-4.0b8pre/firefox{,*[^s][^h]}" name="/shared_location/downloads/Software/Linux/UbuntuReleases/ubuntu-10.10-dvd-amd64.iso" pid=4326 comm="firefox-4.0-bin" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
    Desktop: KX Studio (Kubuntu 12.04)
    Laptop & Netbook: Kubuntu 12.04
    Tablet: Samsung Galaxy Tab 10.1
    Phone: Nexus 4 Cyanogenmod

  5. #145
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: AppArmor Support Thread

    Quote Originally Posted by MountainX View Post
    I changed that and restarted firefox and I still can't save to that location. Do I have to restart the OS?

    Log entry:
    [30144.764313] type=1400 audit(1287094667.522:60): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/lib/firefox-4.0b8pre/firefox{,*[^s][^h]}" name="/shared_location/downloads/Software/Linux/UbuntuReleases/ubuntu-10.10-dvd-amd64.iso" pid=4326 comm="firefox-4.0-bin" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
    After editing the firefox profile you need to restart apparmor.

    Code:
    sudo service apparmor restart
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  6. #146
    Join Date
    Jan 2008
    Location
    A place with no mountains
    Beans
    1,608
    Distro
    Kubuntu

    Re: AppArmor Support Thread

    Quote Originally Posted by bodhi.zazen View Post
    After editing the firefox profile you need to restart apparmor.

    Code:
    sudo service apparmor restart
    Thank you! Everything I need is working now and I learned a few things too, thanks to your kind assistance!
    Desktop: KX Studio (Kubuntu 12.04)
    Laptop & Netbook: Kubuntu 12.04
    Tablet: Samsung Galaxy Tab 10.1
    Phone: Nexus 4 Cyanogenmod

  7. #147
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: AppArmor Support Thread

    Quote Originally Posted by MountainX View Post
    Thank you! Everything I need is working now and I learned a few things too, thanks to your kind assistance!
    You are most welcome =)
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  8. #148
    Join Date
    Oct 2010
    Beans
    50
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: AppArmor Support Thread

    Hi

    I have 2 quick questions about this program. Didn't think this warranted it's own thread.

    I want to restrict media files I have on my external HD from being able to do anything dangerous on my system except what is necessary to run properly with it's parent program (.pdf files open with Evince, video/audio open with VLC, etc.). The reason being to protect my system if I open something dangerous without knowing. Can I achieve this with AppArmor & is using AppArmor the ideal way or is there an easier method to achieve the above?

    I've read the "Introduction to AppArmor sticky, but I'm still quite confused. It doesn't help that I only been using Ubuntu about 2 months now (basic computing).

    Thank You

  9. #149
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: AppArmor Support Thread

    Quote Originally Posted by WeAreLinux View Post
    Hi

    I have 2 quick questions about this program. Didn't think this warranted it's own thread.

    I want to restrict media files I have on my external HD from being able to do anything dangerous on my system except what is necessary to run properly with it's parent program (.pdf files open with Evince, video/audio open with VLC, etc.). The reason being to protect my system if I open something dangerous without knowing. Can I achieve this with AppArmor & is using AppArmor the ideal way or is there an easier method to achieve the above?

    I've read the "Introduction to AppArmor sticky, but I'm still quite confused. It doesn't help that I only been using Ubuntu about 2 months now (basic computing).

    Thank You
    Apparmor takes a few hours to learn.

    The basic syntax is that a profile is written for an application.

    Within the configuration file you use

    /full/path/to/file_or/directory permissions,

    It would be difficult or impossible to use apparmor for what you are thinking as you would need to write a profile for each and every (or most) binaries on your system.

    For what you want I would think selinux.

    Better, read the security sticky.

    I think if you mount your removable device as noexec and nodev that would be sufficient.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  10. #150
    Join Date
    Oct 2010
    Beans
    50
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: AppArmor Support Thread

    Quote Originally Posted by bodhi.zazen View Post
    I think if you mount your removable device as noexec and nodev that would be sufficient.
    I would do that by modifying the fstab file, correct?

    Would creating a non-admin user account & editing user permissions give me that same protection (deny execute permission)?

Page 15 of 19 FirstFirst ... 51314151617 ... LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •