Page 2 of 19 FirstFirst 123412 ... LastLast
Results 11 to 20 of 185

Thread: AppArmor Support Thread

  1. #11

    Re: AppArmor Support Thread

    yes, replacing has helped. thank you.
    now i see this:

    Feb 4 15:26:23 linux2009 kernel: [ 617.777856] type=1503 audit(1233750383.067:156): operation="inode_permission" requested_mask="::x" denied_mask="::x" fsuid=1000 name="/sbin/killall5" pid=7602 profile="/usr/lib/firefox-3.0.5/firefox.sh"

    should i allow it? how does it use it?

    and i want to say about a feature of apparmor: its permissions are other way than linux's. when new user is added and firefox first started by it, it requested w permission for .mozilla in home directory. i added it and it works. w permission for home directory is not needed.

  2. #12

    Re: AppArmor Support Thread

    man iptables:
    --cmd-owner name
    Matches if the packet was created by a process with the given command name. (this option is present only if iptables was compiled under a kernel supporting this feature)
    this has not worked. in ubuntu 8.10 . i think because iptables is not compiled so.
    i tried this command:
    sudo iptables -I OUTPUT 2 -p tcp -m owner --uid-owner 1234 --cmd-owner virtualbox --dport 80 -j ACCEPT

  3. #13
    Join Date
    Feb 2005
    Location
    ${HOME}
    Beans
    Hidden!
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: AppArmor Support Thread

    Quote Originally Posted by q.dinar View Post
    this has not worked. in ubuntu 8.10 . i think because iptables is not compiled so.
    i tried this command:
    sudo iptables -I OUTPUT 2 -p tcp -m owner --uid-owner 1234 --cmd-owner virtualbox --dport 80 -j ACCEPT
    That's unfortunate. Indeed it doesn't work. I've updated my post above to reflect this

  4. #14
    Join Date
    Feb 2005
    Location
    ${HOME}
    Beans
    Hidden!
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: AppArmor Support Thread

    Quote Originally Posted by q.dinar View Post
    yes, replacing has helped. thank you.
    now i see this:

    Feb 4 15:26:23 linux2009 kernel: [ 617.777856] type=1503 audit(1233750383.067:156): operation="inode_permission" requested_mask="::x" denied_mask="::x" fsuid=1000 name="/sbin/killall5" pid=7602 profile="/usr/lib/firefox-3.0.5/firefox.sh"

    should i allow it? how does it use it?
    I'm not sure how that's used. I don't allow it and I haven't run into problems, but I also haven't seen Firefox asking for that program. What were you doing when you saw that? Do you have any steps that allow you to consistently make Firefox ask for /sbin/killall5?

    Quote Originally Posted by q.dinar View Post
    and i want to say about a feature of apparmor: its permissions are other way than linux's. when new user is added and firefox first started by it, it requested w permission for .mozilla in home directory. i added it and it works. w permission for home directory is not needed.
    Quite right, Linux and AppArmor use two different sets of permissions. The permissions applied are the least common permissions between the two. So if a file has Linux permissions for read, write, and execute, but the AppArmor profile permissions allow read and execute, you won't be able to write to the file under that profile no matter how hard you try.

  5. #15

    Angry Re: AppArmor Support Thread

    i am quite sad. .

    you should rename and modify and reload /etc/apparmor.d/usr.lib.firefox-3.0.5.firefox.sh when firefox has upgraded to 3.0.6 !

    2009-12-22: this can be solved , at least in apparmor of ubuntu 9.10 : there is preinstalled but turned off firefox profile, profile's file name is not important, it is "usr.bin.firefox-3.5" , but in it:
    ...
    #include <tunables/global>

    /usr/lib/firefox-3.5.*/firefox {
    #include <abstractions/audio>
    ...
    and that works with all versions, i think.
    Last edited by q.dinar; December 22nd, 2009 at 09:16 PM.

  6. #16
    Join Date
    Feb 2005
    Location
    ${HOME}
    Beans
    Hidden!
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: AppArmor Support Thread

    Yes, you will need to change the file name and the paths in the file to match the new paths. The same would also apply to anything else installed with version information in the path name, like XUL Runner (/usr/lib/xulrunner-1.9/).

    AppArmor is definitely not a "set and forget" security system. In fact, any system which claims to be such a thing should be viewed suspiciously. When upgrades are done, or new packages installed, current rules may need to be revised or removed, or new rules may need to be added.

  7. #17

    Re: AppArmor Support Thread

    even when i have just started firefox, and only one blank tab(page) was on the start, it asked for killall5. when i opened new blank tab(page) it asked for it 4 times - but programs usually ask for things several times if not succeeded on first time. i allowed it but now again have denied it, so i see it now in syslog.

    "Quite right, Linux and AppArmor use two different sets of permissions. The permissions applied are the least common permissions between the two. ..."
    but i wanted to say about other feature: to create new "a" directory in "b" directory in linux "write" permission to "b" directory should be. in apparmor rules "write" permission to non-existing yet "a" itself is enough.

    i see that when i switch to firefox from other program with clicking to tab on task bar or with alt+tab it asks for killall5 2 times.

  8. #18

    Re: AppArmor Support Thread

    Code:
    Feb 16 10:53:31 linux2009 kernel: [  382.914441] type=1505 audit(1234770811.273:665): operation="profile_replace" name="/usr/bin/xchat" name2="default" pid=7453
    Feb 16 10:53:43 linux2009 kernel: [  395.513632] type=1502 audit(1234770823.873:666): operation="inode_permission" requested_mask="::x" denied_mask="::x" fsuid=1000 name="/sbin/killall5" pid=7460 profile="/usr/bin/xchat"
    Feb 16 10:53:43 linux2009 kernel: [  395.514803] type=1504 audit(1234770823.873:667): operation="exec" info="set profile" pid=7460 profile="null-complain-profile"
    Feb 16 10:53:43 linux2009 kernel: [  395.514830] type=1502 audit(1234770823.873:668): operation="file_permission" requested_mask="::r" denied_mask="::r" fsuid=1000 name="/sbin/killall5" pid=7460 profile="null-complain-profile"
    Feb 16 10:53:43 linux2009 kernel: [  395.520025] type=1502 audit(1234770823.877:669): operation="file_permission" requested_mask="::r" denied_mask="::r" fsuid=1000 name="/sbin/killall5" pid=7460 profile="null-complain-profile"
    Feb 16 10:53:43 linux2009 kernel: [  395.521749] type=1502 audit(1234770823.881:670): operation="file_permission" requested_mask="::r" denied_mask="::r" fsuid=1000 name="/sbin/killall5" pid=7460 profile="null-complain-profile"
    Feb 16 10:53:43 linux2009 kernel: [  395.525482] type=1502 audit(1234770823.885:671): operation="inode_permission" requested_mask="::x" denied_mask="::x" fsuid=1000 name="/lib/ld-2.8.90.so" pid=7460 profile="null-complain-profile"
    also xchat has asked for killall5.
    what is null-complain-profile ?

  9. #19

  10. #20

    Re: AppArmor Support Thread

    now i have tested with renaming .mozilla . it asks for killall5 with newly created profile. but just now other user has used firefox, but in that time it has not asked for killall5!

Page 2 of 19 FirstFirst 123412 ... LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •