AppArmor Support Thread

[q.dinar]

hello.
i have searched in web some about auditd, i do not want to install it, i think it is extra problem for me, i do not need it, syslog is enough for me. if you think that i need it please(?) say what it gives(?).

now i have started from empty apache profile and all things are understandable.
by the way: /etc/init.d/apparmor reload and restart, as i know, reload all profiles that are already turned on, just deleting profile and restart do not help as i know, if i am not mistaken, need to delete with apparmor_parser -R or disable by making link at disable directory. so may be would be good if there is command to load profiles as they are in /apparmor.d/ .
now i have moved 2 apache profiles, which are needed only to compare with them, to "disable" directory though it is for setting there links to profiles that should be disabled , i moved because moving with mouse is easier in nautilus. is there some key holding that i can directly make link in place other than folder of file? that would be also good to make links to files like /mnt/sdb1 because need root account to create link in /mnt/ .

[q.dinar]

i attach /etc/apparmor.d content as it was when i have installed new ubuntu 9.10 , there are profiles that worked with ubuntu 9.04 and ubuntu 8.10 .
i have attached them in "share your apparmor profiles" thread: http://ubuntuforums.org/showthread.p...97#post8551897 .

[q.dinar]

i have just installed ejabberd to ubuntu 9.10 i386 from its repository, have not configured any files of it, just started to make apparmor profile. last installation i made profile for /usr/sbin/ejabberd , this time i make for /etc/init.d/ejabberd . because if you look at system monitor there is beam and epmd proccesses running for ejabberd and no "ejabberd" process and ejabberd starts from /etc/init.d/ejabberd , so i make profile for it to control everything that it can start. and there is /usr/sbin/ejabberdctl is also started sometimes.
to restart ejabberd use this commands: sudo /etc/init.d/ejabberd stop and sometimes sudo killall epmd - look whether it is running in system monitor then reload profile with sudo apparmor_parser -r /etc/apparmor.d/etc.init.d.ejabberd then start ejabberd with sudo /etc/init.d/ejabberd start.
now i have apparmor profile so that no messages of apparmor about ejabberd.
after i have this profile and stopped ejabberd, epmd and beam processes are left running so stop them with sudo killall epmd and sudo killall beam. i say to kill them because in previous installation without killing them ejabberd could not start again and if do not kill them i think new, modified apparmor profile will not apply properly or not apply at all.
this current ejabberd apparmor profile wich works with fresh installed ejabberd of ubuntu 9.10 :

Code:

#include <tunables/global>
/etc/init.d/ejabberd {
#/etc/ld.so.cache r,
#/lib/tls/i686/cmov/libc-2.10.1.so r,
#/lib/libc-2.10.1.so r,
#include <abstractions/base>
/etc/init.d/ejabberd r,
/etc/default/ejabberd r,
/bin/su ix,
capability dac_override,
capability dac_read_search,
/usr/bin/expr ix,
/bin/sleep ix,
/var/run/utmp rk,
#include <abstractions/nameservice>
/etc/login.defs r,
/etc/pam.d/* r,
/lib/security/** mr,
/etc/shells r,
/proc/filesystems r,
capability setgid,
/etc/shadow r,
/etc/security/** r,
capability setuid,
/etc/environment r,
/etc/default/locale r,
/bin/dash ix,
/usr/sbin/ejabberdctl ixr,
/usr/sbin/ejabberd ixr,
/bin/date ix,
/usr/lib/erlang/bin/erl ix,
/bin/sed ix,
/usr/lib/erlang/** ix,
/sys/devices/system/cpu/ r,
/var/lib/ejabberd/** r,
@{HOME}/erl_crash.dump wr,
/sys/devices/system/cpu/** r,
/etc/ejabberd/** r,
/var/lib/ejabberd/ r,
/var/log/ejabberd/** wr,
/var/lib/ejabberd/** wr,
/usr/lib/ejabberd/** mr,
}

why does it need "su" ? how can it use it? it is not only to became root? why it needs "shadow"? not only root can read it? ah i myself run it - /etc/init.d/ejabberd as root!
11:01 utc+3: i think making profile for /etc/init.d/ejabberd is not correct , because it allows things like shadow which normal process that does not run as root cannot and should not use , because if it could it could use it to know out password. for what do you suggest create profiles? may be better for /usr/sbin/ejabberd and /usr/sbin/ejabberdctl ... may be also possible for epmd and beam ...

[q.dinar]

now i have:

Code:

#include <tunables/global>
/etc/init.d/ejabberd {
#/etc/ld.so.cache r,
#/lib/tls/i686/cmov/libc-2.10.1.so r,
#/lib/libc-2.10.1.so r,
#include <abstractions/base>
/etc/init.d/ejabberd r,
/etc/default/ejabberd r,
/bin/su ix,
capability dac_override,
capability dac_read_search,
/usr/bin/expr ix,
/bin/sleep ix,
/var/run/utmp rk,
#include <abstractions/nameservice>
/etc/login.defs r,
/etc/pam.d/* r,
/lib/security/** mr,
/etc/shells r,
/proc/filesystems r,
capability setgid,
/etc/shadow r,
/etc/security/** r,
capability setuid,
/etc/environment r,
/etc/default/locale r,
/bin/dash ix,
#/usr/sbin/ejabberdctl ixr,
#/usr/sbin/ejabberd ixr,
/usr/sbin/ejabberdctl Px,
/usr/sbin/ejabberd Px,
#/bin/date ix,
#/usr/lib/erlang/bin/erl ix,
#/bin/sed ix,
#/usr/lib/erlang/** ix,
#/sys/devices/system/cpu/ r,
#@{HOME}/erl_crash.dump wr,
#/sys/devices/system/cpu/** r,
#/etc/ejabberd/** r,
#/var/lib/ejabberd/ r,
#/var/log/ejabberd/** wr,
#/var/lib/ejabberd/** wr,
#/usr/lib/ejabberd/** mr,
}

and

Code:

#include <tunables/global>
/usr/sbin/ejabberd {
#include <abstractions/base>
/usr/sbin/ejabberd r,
/etc/default/ejabberd r,
/usr/lib/erlang/bin/erl ix,
/bin/sed ix,
/usr/lib/erlang/** ix,
/proc/filesystems r,
/sys/devices/system/cpu/ r,
/bin/dash ix,
/var/log/ejabberd/** wr,
/var/lib/ejabberd/** wr,
/sys/devices/system/cpu/** r,
#include <abstractions/nameservice>
/etc/ejabberd/** r,
/var/lib/ejabberd/ r,
/usr/lib/ejabberd/** mr,
}

and

Code:

#include <tunables/global>
/usr/sbin/ejabberdctl {
#include <abstractions/base>
/usr/sbin/ejabberdctl r,
/etc/default/ejabberd r,
/bin/date ix,
/usr/lib/erlang/bin/erl ix,
/bin/sed ix,
/usr/lib/erlang/** ix,
/proc/filesystems r,
/sys/devices/system/cpu/ r,
/bin/dash ix,
#include <abstractions/nameservice>
/sys/devices/system/cpu/** r,
@{HOME}/erl_crash.dump wr,
/var/lib/ejabberd/** wr,
}

[jgoguen]

First, if no one has answered you please edit your post so that it has the most up-to-date information. Unfortunately, I don't know how much more help I can be since I'm not familiar with ejabberd

The "su" command isn't just used to switch to root. Think of "su" as short for "switch user", which is exactly what it lets you do. It just happens that if you don't give it a user to change to, it defaults to root. If I say "su joe", I will be asked for the password for user "joe" and I will get a shell open as "joe", not as root. It's possible that ejabberd uses su to change to a lower-privilege user, or to run part of itself with lower privileges, but I would think the developers would use the system setuid() and setgid() calls to do that. I can't think of any reason for it to need access to /etc/shadow though.

Do you have any problems with the set of three profiles you posted? If they work fine, you should post them in the thread for sharing profiles rather than here. Keep up the good work learning AppArmor

[BigCityCat]

I really hate to be a lazy *** but is there a way I can just import a firefox profile that is already set up for me. lol

[rookcifer]

I really hate to be a lazy *** but is there a way I can just import a firefox profile that is already set up for me. lol

There is already a firefox profile (9.10 only), it just needs to be enabled. If you're using 9.10 all you need to do is:

Code:

sudo aa-enforce /etc/apparmor.d/usr.bin.firefox-3.5

And then restart apparmor:

Code:

sudo /etc/init.d/apparmor restart

This firefox profile should work well most of the time, but since it isn't possible for one profile to serve all purposes, there might be instances where you might find it blocks normal behavior. For that you will need to check the logs in syslog to see what it's blocking and adjust it accordingly.

[q.dinar]

to #87 : and restart firefox, i think, if it is not changed in new apparmor.
10:10 utc+3 : to #70: i had known about that...
to #85 "... If they work fine, you should post them in the thread for sharing profiles rather than here. ..." - i have not used this much enough yet now, even has not registered a user.

14:52 utc+3 : again adding to #87 : and may be you want to deny full access to your home folder and /mnt/ and /srv/ content , for that you should edit the profile.

[q.dinar]

hello.
(some tips/suggestions)
when test apache do not just "sudo /etc/init.d/apache2 reload" but "sudo /etc/init.d/apache2 restart" or "... stop" and then "...start", because if you just reload, i think >2010-02-01: even maybe ... (unbelievable..) < some processes of it are left running and no apparmor profile apply to them, and you do not see in syslog what they used.
i have forgotten second thing that i wanted to write.
2009-12-25 23:43 utc+3 : i have remembered:
what do you think about blocking up pppd?

[BigCityCat]

There is already a firefox profile (9.10 only), it just needs to be enabled. If you're using 9.10 all you need to do is:

Code:

sudo aa-enforce /etc/apparmor.d/usr.bin.firefox-3.5

And then restart apparmor:

Code:

sudo /etc/init.d/apparmor restart

This firefox profile should work well most of the time, but since it isn't possible for one profile to serve all purposes, there might be instances where you might find it blocks normal behavior. For that you will need to check the logs in syslog to see what it's blocking and adjust it accordingly.

I appreciate that, thank you.