Page 9 of 19 FirstFirst ... 7891011 ... LastLast
Results 81 to 90 of 185

Thread: AppArmor Support Thread

  1. #81

    Re: AppArmor Support Thread

    hello.
    i have searched in web some about auditd, i do not want to install it, i think it is extra problem for me, i do not need it, syslog is enough for me. if you think that i need it please(?) say what it gives(?).

    now i have started from empty apache profile and all things are understandable.
    by the way: /etc/init.d/apparmor reload and restart, as i know, reload all profiles that are already turned on, just deleting profile and restart do not help as i know, if i am not mistaken, need to delete with apparmor_parser -R or disable by making link at disable directory. so may be would be good if there is command to load profiles as they are in /apparmor.d/ .
    now i have moved 2 apache profiles, which are needed only to compare with them, to "disable" directory though it is for setting there links to profiles that should be disabled , i moved because moving with mouse is easier in nautilus. is there some key holding that i can directly make link in place other than folder of file? that would be also good to make links to files like /mnt/sdb1 because need root account to create link in /mnt/ .
    Last edited by q.dinar; December 24th, 2009 at 06:47 AM.

  2. #82

    Re: AppArmor Support Thread

    i attach /etc/apparmor.d content as it was when i have installed new ubuntu 9.10 , there are profiles that worked with ubuntu 9.04 and ubuntu 8.10 .
    i have attached them in "share your apparmor profiles" thread: http://ubuntuforums.org/showthread.p...97#post8551897 .

  3. #83

    Re: AppArmor Support Thread

    i have just installed ejabberd to ubuntu 9.10 i386 from its repository, have not configured any files of it, just started to make apparmor profile. last installation i made profile for /usr/sbin/ejabberd , this time i make for /etc/init.d/ejabberd . because if you look at system monitor there is beam and epmd proccesses running for ejabberd and no "ejabberd" process and ejabberd starts from /etc/init.d/ejabberd , so i make profile for it to control everything that it can start. and there is /usr/sbin/ejabberdctl is also started sometimes.
    to restart ejabberd use this commands: sudo /etc/init.d/ejabberd stop and sometimes sudo killall epmd - look whether it is running in system monitor then reload profile with sudo apparmor_parser -r /etc/apparmor.d/etc.init.d.ejabberd then start ejabberd with sudo /etc/init.d/ejabberd start.
    now i have apparmor profile so that no messages of apparmor about ejabberd.
    after i have this profile and stopped ejabberd, epmd and beam processes are left running so stop them with sudo killall epmd and sudo killall beam. i say to kill them because in previous installation without killing them ejabberd could not start again and if do not kill them i think new, modified apparmor profile will not apply properly or not apply at all.
    this current ejabberd apparmor profile wich works with fresh installed ejabberd of ubuntu 9.10 :
    Code:
    #include <tunables/global>
    /etc/init.d/ejabberd {
    #/etc/ld.so.cache r,
    #/lib/tls/i686/cmov/libc-2.10.1.so r,
    #/lib/libc-2.10.1.so r,
    #include <abstractions/base>
    /etc/init.d/ejabberd r,
    /etc/default/ejabberd r,
    /bin/su ix,
    capability dac_override,
    capability dac_read_search,
    /usr/bin/expr ix,
    /bin/sleep ix,
    /var/run/utmp rk,
    #include <abstractions/nameservice>
    /etc/login.defs r,
    /etc/pam.d/* r,
    /lib/security/** mr,
    /etc/shells r,
    /proc/filesystems r,
    capability setgid,
    /etc/shadow r,
    /etc/security/** r,
    capability setuid,
    /etc/environment r,
    /etc/default/locale r,
    /bin/dash ix,
    /usr/sbin/ejabberdctl ixr,
    /usr/sbin/ejabberd ixr,
    /bin/date ix,
    /usr/lib/erlang/bin/erl ix,
    /bin/sed ix,
    /usr/lib/erlang/** ix,
    /sys/devices/system/cpu/ r,
    /var/lib/ejabberd/** r,
    @{HOME}/erl_crash.dump wr,
    /sys/devices/system/cpu/** r,
    /etc/ejabberd/** r,
    /var/lib/ejabberd/ r,
    /var/log/ejabberd/** wr,
    /var/lib/ejabberd/** wr,
    /usr/lib/ejabberd/** mr,
    }
    why does it need "su" ? how can it use it? it is not only to became root? why it needs "shadow"? not only root can read it? ah i myself run it - /etc/init.d/ejabberd as root!
    11:01 utc+3: i think making profile for /etc/init.d/ejabberd is not correct , because it allows things like shadow which normal process that does not run as root cannot and should not use , because if it could it could use it to know out password. for what do you suggest create profiles? may be better for /usr/sbin/ejabberd and /usr/sbin/ejabberdctl ... may be also possible for epmd and beam ...
    Last edited by q.dinar; December 24th, 2009 at 09:06 AM.

  4. #84

    Re: AppArmor Support Thread

    now i have:
    Code:
    #include <tunables/global>
    /etc/init.d/ejabberd {
    #/etc/ld.so.cache r,
    #/lib/tls/i686/cmov/libc-2.10.1.so r,
    #/lib/libc-2.10.1.so r,
    #include <abstractions/base>
    /etc/init.d/ejabberd r,
    /etc/default/ejabberd r,
    /bin/su ix,
    capability dac_override,
    capability dac_read_search,
    /usr/bin/expr ix,
    /bin/sleep ix,
    /var/run/utmp rk,
    #include <abstractions/nameservice>
    /etc/login.defs r,
    /etc/pam.d/* r,
    /lib/security/** mr,
    /etc/shells r,
    /proc/filesystems r,
    capability setgid,
    /etc/shadow r,
    /etc/security/** r,
    capability setuid,
    /etc/environment r,
    /etc/default/locale r,
    /bin/dash ix,
    #/usr/sbin/ejabberdctl ixr,
    #/usr/sbin/ejabberd ixr,
    /usr/sbin/ejabberdctl Px,
    /usr/sbin/ejabberd Px,
    #/bin/date ix,
    #/usr/lib/erlang/bin/erl ix,
    #/bin/sed ix,
    #/usr/lib/erlang/** ix,
    #/sys/devices/system/cpu/ r,
    #@{HOME}/erl_crash.dump wr,
    #/sys/devices/system/cpu/** r,
    #/etc/ejabberd/** r,
    #/var/lib/ejabberd/ r,
    #/var/log/ejabberd/** wr,
    #/var/lib/ejabberd/** wr,
    #/usr/lib/ejabberd/** mr,
    }
    and
    Code:
    #include <tunables/global>
    /usr/sbin/ejabberd {
    #include <abstractions/base>
    /usr/sbin/ejabberd r,
    /etc/default/ejabberd r,
    /usr/lib/erlang/bin/erl ix,
    /bin/sed ix,
    /usr/lib/erlang/** ix,
    /proc/filesystems r,
    /sys/devices/system/cpu/ r,
    /bin/dash ix,
    /var/log/ejabberd/** wr,
    /var/lib/ejabberd/** wr,
    /sys/devices/system/cpu/** r,
    #include <abstractions/nameservice>
    /etc/ejabberd/** r,
    /var/lib/ejabberd/ r,
    /usr/lib/ejabberd/** mr,
    }
    and
    Code:
    #include <tunables/global>
    /usr/sbin/ejabberdctl {
    #include <abstractions/base>
    /usr/sbin/ejabberdctl r,
    /etc/default/ejabberd r,
    /bin/date ix,
    /usr/lib/erlang/bin/erl ix,
    /bin/sed ix,
    /usr/lib/erlang/** ix,
    /proc/filesystems r,
    /sys/devices/system/cpu/ r,
    /bin/dash ix,
    #include <abstractions/nameservice>
    /sys/devices/system/cpu/** r,
    @{HOME}/erl_crash.dump wr,
    /var/lib/ejabberd/** wr,
    }

  5. #85
    Join Date
    Feb 2005
    Location
    ${HOME}
    Beans
    Hidden!

    Re: AppArmor Support Thread

    First, if no one has answered you please edit your post so that it has the most up-to-date information. Unfortunately, I don't know how much more help I can be since I'm not familiar with ejabberd

    The "su" command isn't just used to switch to root. Think of "su" as short for "switch user", which is exactly what it lets you do. It just happens that if you don't give it a user to change to, it defaults to root. If I say "su joe", I will be asked for the password for user "joe" and I will get a shell open as "joe", not as root. It's possible that ejabberd uses su to change to a lower-privilege user, or to run part of itself with lower privileges, but I would think the developers would use the system setuid() and setgid() calls to do that. I can't think of any reason for it to need access to /etc/shadow though.

    Do you have any problems with the set of three profiles you posted? If they work fine, you should post them in the thread for sharing profiles rather than here. Keep up the good work learning AppArmor
    Joel Goguen

  6. #86
    Join Date
    Dec 2008
    Location
    Orlando, Fl
    Beans
    456
    Distro
    Kubuntu 12.10 Quantal Quetzal

    Re: AppArmor Support Thread

    I really hate to be a lazy *** but is there a way I can just import a firefox profile that is already set up for me. lol

  7. #87
    Join Date
    Jan 2008
    Location
    USA
    Beans
    971
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: AppArmor Support Thread

    Quote Originally Posted by BigCityCat View Post
    I really hate to be a lazy *** but is there a way I can just import a firefox profile that is already set up for me. lol
    There is already a firefox profile (9.10 only), it just needs to be enabled. If you're using 9.10 all you need to do is:

    Code:
    sudo aa-enforce /etc/apparmor.d/usr.bin.firefox-3.5
    And then restart apparmor:

    Code:
    sudo /etc/init.d/apparmor restart
    This firefox profile should work well most of the time, but since it isn't possible for one profile to serve all purposes, there might be instances where you might find it blocks normal behavior. For that you will need to check the logs in syslog to see what it's blocking and adjust it accordingly.

  8. #88

    Re: AppArmor Support Thread

    to #87 : and restart firefox, i think, if it is not changed in new apparmor.
    10:10 utc+3 : to #70: i had known about that...
    to #85 "... If they work fine, you should post them in the thread for sharing profiles rather than here. ..." - i have not used this much enough yet now, even has not registered a user.

    14:52 utc+3 : again adding to #87 : and may be you want to deny full access to your home folder and /mnt/ and /srv/ content , for that you should edit the profile.
    Last edited by q.dinar; December 25th, 2009 at 12:55 PM.

  9. #89

    Re: AppArmor Support Thread

    hello.
    (some tips/suggestions)
    when test apache do not just "sudo /etc/init.d/apache2 reload" but "sudo /etc/init.d/apache2 restart" or "... stop" and then "...start", because if you just reload, i think >2010-02-01: even maybe ... (unbelievable..) < some processes of it are left running and no apparmor profile apply to them, and you do not see in syslog what they used.
    i have forgotten second thing that i wanted to write.
    2009-12-25 23:43 utc+3 : i have remembered:
    what do you think about blocking up pppd?
    Last edited by q.dinar; February 1st, 2010 at 11:14 AM.

  10. #90
    Join Date
    Dec 2008
    Location
    Orlando, Fl
    Beans
    456
    Distro
    Kubuntu 12.10 Quantal Quetzal

    Re: AppArmor Support Thread

    Quote Originally Posted by rookcifer View Post
    There is already a firefox profile (9.10 only), it just needs to be enabled. If you're using 9.10 all you need to do is:

    Code:
    sudo aa-enforce /etc/apparmor.d/usr.bin.firefox-3.5
    And then restart apparmor:

    Code:
    sudo /etc/init.d/apparmor restart
    This firefox profile should work well most of the time, but since it isn't possible for one profile to serve all purposes, there might be instances where you might find it blocks normal behavior. For that you will need to check the logs in syslog to see what it's blocking and adjust it accordingly.
    I appreciate that, thank you.

Page 9 of 19 FirstFirst ... 7891011 ... LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •