Page 16 of 19 FirstFirst ... 61415161718 ... LastLast
Results 151 to 160 of 185

Thread: AppArmor Support Thread

  1. #151
    Join Date
    Aug 2008
    Location
    Manila, Philippines
    Beans
    231
    Distro
    Ubuntu 12.10 Quantal Quetzal

    Re: AppArmor Support Thread

    Hi. I have encountered this bit of a problem when I
    user@user-desktop:~$sudo genprof
    or use any of the apparmor utilities like logprof.

    Can't find include file abstractions/apache2-common: No such file or directory

    Before the problem arose, I downloaded apparmor-profiles from the repositories. I have them in enforce mode now except a couple. If one of the profiles are looking for abstractions/apache2-common and it's not in the /etc/apparmor.d directory should I just modify the profile? I don't run apache and don't think I will.

    Can you give me a clue on which one of the profiles would include abstraction/apache2-common? Thank you.

  2. #152
    Join Date
    Apr 2010
    Location
    Wales, UK
    Beans
    92
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: AppArmor Support Thread

    I'd just use:
    grep -r apache /etc/apparmor.d/

    to find the offending profile

    I had the same problem and fixed it that way. Think it was an apache abstraction actually

  3. #153
    Join Date
    Aug 2008
    Location
    Manila, Philippines
    Beans
    231
    Distro
    Ubuntu 12.10 Quantal Quetzal

    Re: AppArmor Support Thread

    thank you for the tip.
    I did what you said and found the reference to abstractions/apache2-common and modified the profile and saved it.
    fine now.

  4. #154
    Join Date
    Jun 2010
    Beans
    111
    Distro
    Kubuntu 12.04 Precise Pangolin

    Re: AppArmor Support Thread

    Quote Originally Posted by CandidMan View Post
    I'd just use:
    grep -r apache /etc/apparmor.d/

    to find the offending profile

    I had the same problem and fixed it that way. Think it was an apache abstraction actually
    Can you tell me what to do exactly?
    I have the same problem and after executing the above command I get this:
    Code:
    arapaho@kompik ~ $ grep -r apache /etc/apparmor.d/
    /etc/apparmor.d/apache2.d/phpsysinfo:    #include <abstractions/apache2-common>
    /etc/apparmor.d/apache2.d/phpsysinfo:    /var/log/apache2/access.log w,
    /etc/apparmor.d/apache2.d/phpsysinfo:    /var/log/apache2/error.log w,
    /etc/apparmor.d/abstractions/svn-repositories:  # it is intended to be included in profiles for svnserve/apache2 and maybe
    /etc/apparmor.d/abstractions/php5:  /etc/php5/{conf.d,apache2,cli,fastcgi,cgi}/ r,
    /etc/apparmor.d/abstractions/php5:  /etc/php5/{conf.d,apache2,cli,fastcgi,cgi}/*.ini r,
    Last edited by arapaho; November 5th, 2010 at 06:22 PM.

  5. #155
    Join Date
    Apr 2010
    Location
    Wales, UK
    Beans
    92
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: AppArmor Support Thread

    I just deleted the line containing:

    #include <abstractions/apache2-common>

    I suppose that's a 'hack' but it seems to work

  6. #156
    Join Date
    Apr 2011
    Beans
    23

    Re: AppArmor Support Thread

    Edits - the whole thing LOL - multiple times


    Hi and thanks for all the incredible information - there are giants in the room

    I have been slowly working though securing a laptop install of LinuxMint which is based on Ubuntu 10.10. Very similar in many ways. Draws on Ubuntu repos.
    Have installed AA(though some parts built in), AA-profiles,-docs,-notify, and their deps.

    I have AA profile for firefox, based on the default one which came bundled with the distro. I am pretty sure they didn't change anything from the Ubuntu 10.10 default FF profile, though I did. Slowly reading and gaining understanding.

    A couple questions . . . .

    [Redacted a big chunk of my post cause I need to read up and not be stupid.]

    I had some difficulty getting the profile to stick.
    On system restart, it was fine, but on reload or restart of AA, Firefox's profile got dropped from view (neither enforce, nor complain . . .inconsistently).

    [redacted - need to gather more info to expect response]


    Will report back on [redacted] my progress
    Will make separate post as I am feeling ridiculous with multiple edits.

    (Part of message redacted. I had issue with Flash not working - was me not reading posts and instructions, then not hitting save. . .<chuckle>)


    All of your help (any) will be much appreciated.
    You rock
    Last edited by MiniT; August 16th, 2011 at 12:55 AM. Reason: update

  7. #157
    Join Date
    Apr 2011
    Beans
    23

    Re: AppArmor Support Thread

    Ok
    lets try from a fresh piece of paper, eh?

    Still having issue with what profiles get loaded when:
    #on system restart - everything cool
    #on restart or reboot of AA - Firefox not in status list, must start individually
    #also on AA re-up - sometimes, inconsistently, samba daemons are unconfined!?

    Is this all expected/dangerous/ . . .I'm unsure! Mostly about Samba since I dont have a printer, but may one day get one.
    I expect to keep it around, but . . . don't know if I should care that it's loose irregularly



    Muchos gracias, dudes.
    and sorry about the mess, I'm under construction.
    (cool, a smily playin fiddle)

    mini

  8. #158
    Join Date
    Feb 2005
    Location
    ${HOME}
    Beans
    Hidden!
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: AppArmor Support Thread

    OK, let's see what I can do for you

    Quote Originally Posted by MiniT View Post
    I have AA profile for firefox, based on the default one which came bundled with the distro. I am pretty sure they didn't change anything from the Ubuntu 10.10 default FF profile, though I did. Slowly reading and gaining understanding.
    Make sure here that you remove the usr.bin.firefox link from /etc/apparmor.d/disable/ (anything in this directory isn't loaded by AppArmor).

    Quote Originally Posted by MiniT View Post
    [COLOR=SeaGreen]I had some difficulty getting the profile to stick.
    On system restart, it was fine, but on reload or restart of AA, Firefox's profile got dropped from view (neither enforce, nor complain . . .inconsistently).
    This is odd. It should (as you expect) either load or not load and be consistent about it. Check for the link in /etc/apparmor.d/disable/ and see if there's anything interesting in your logs.

    Quote Originally Posted by MiniT View Post
    (Part of message redacted. I had issue with Flash not working - was me not reading posts and instructions, then not hitting save. . .<chuckle>)
    Flash is silly anyway, I look forward to the day when we can all do without it

    Quote Originally Posted by MiniT View Post
    Still having issue with what profiles get loaded when:
    #on system restart - everything cool
    #on restart or reboot of AA - Firefox not in status list, must start individually
    #also on AA re-up - sometimes, inconsistently, samba daemons are unconfined!?

    Is this all expected/dangerous/ . . .I'm unsure! Mostly about Samba since I dont have a printer, but may one day get one.
    I expect to keep it around, but . . . don't know if I should care that it's loose irregularly
    Yea, it's bad for something to not be loaded when it should. Especially if the profile isn't in /etc/apparmor.d/disable/, it should always be loaded then. I can't recall what it does with a syntax error in the profile, but that should still be a consistent load or not load.

  9. #159
    Join Date
    Apr 2011
    Beans
    23

    Re: AppArmor Support Thread

    Chank you for your timely reply,much needed assistance (and forebearance)
    All is well - some thoughts:

    oooohhhhh.
    Right, this makes perfect sense . . .

    I'll put the inconsistency up to my errors of some kind. User error is usually a safe bet when things aren't consistent in some way.

    Actually followed the Flash issue just as per directions:
    tail -F /var/log/messages
    in seperate term, sudo gedit /etc/apparmor.d/usr.bin.firefox
    (fiddle with the goofy bits - my work - one line at a time)
    freshly started FF profile, FF open to HULU.com
    messages say first thing - (whine) FF gets into a special MINT flash directory! what the. . . OK, works much better now

    Here's to directions

    @jgoguen - yeah man, yeah

  10. #160
    Join Date
    Apr 2011
    Beans
    23

    Re: AppArmor Support Thread

    New post for orgzanitional purposes.

    Grey area regarding permissions - requires ME reading.
    What i would like a hint on is EXPLICIT versus IMPLICIT rules in profiles.
    It starts with whatever permission it had before.
    Tht means the firefox or transmission or samba critter may have a user account of sorts in a group of some kind - and defined limits therof.
    What I don't get is why I can Save Page As . . . and see - pretty much anything. Maybe even save to most sensitive areas - by default?
    Shouldn't FF be, well, less honored?
    Is this the place for AA - to trim the over-reaching program?

    Or is there another, more appropriate way to fence in programs' screwing with my sacred files?
    Seems like it would be a long list of DENYs to trim permissions only in a AA profile - if I wanted to limit it LITERALLY to only what it asked for and needed.

    What if I start iwth a profile that basically says :
    audit deny / mrwkl # or anything else goshdarnit

    Maybe I don't have the syntax right, but you get the idea.
    In complain, it should tell me everything it needs access to, and I get to figure out if it really does or not (the hard part).

    But how do I keep the blanket denial, with holes punched?
    Can I basically say NO then, WELL MAYBE? What would that syntax look like?
    My profile seems very relative and very reactive to outside permissions.
    Is this just part of the gammit with AA? (uh-oh, the music is starting to fade - this Armor is starting to feel heavy )

    Thank you for your help before, and in future.
    again @jgoguen - yeah man

    (Links and "read this, dummy" would be most helpful) peace yall
    Last edited by MiniT; August 17th, 2011 at 03:16 AM. Reason: uuuuhh, I'm a disorganized ****?

Page 16 of 19 FirstFirst ... 61415161718 ... LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •