Ok, those of you watching all my posts, I've decided to let go of SElinux for now. In the meantime, I know Apparmor is installed by default, but what do I need to know about setting it up?
Thanks,
SH
Printable View
Ok, those of you watching all my posts, I've decided to let go of SElinux for now. In the meantime, I know Apparmor is installed by default, but what do I need to know about setting it up?
Thanks,
SH
bump
bumpity bump
You weren't able to find any information on apparmor?
Hopefully this can get you started.
There are several commands you should get familiar with. (you will need sudo for these commands)
/etc/init.d/apparmor start
/etc/init.d/apparmor stop
/etc/init.d/apparmor status
/etc/init.d/apparmor reload
aa-complain NameOfProfile
aa-enforce NameOfProfile
autodep NameOfApplication
logprofile
There are other commands, but I don't use them.
start - starts apparmor.
stop - stops apparmor.
status - tells you how many profiles you have and what mode they are in.
reload - reloads the profiles.
aa-complain - puts the profile into complain mode. If something doesn't work, put it in this mode. Complain mode is like learning mode.
aa-enforce - puts the profile into enforce mode. After you are done with your settings, put the profile in this mode.
autodep - creates a profile and puts it into complain mode.
logprofile - this is where you set the settings like inherit, glob, allow, deny. This is the most important part! It defines what your program can do and can't do.
If you use the status command, it will show you that you have one profile called /usr/sbin/cupsd in enforce mode.
What do you want to do first?
You need to make a profile for the application you want.
ex: autodep firefox
(Once firefox is created, the profile will be automatically put into complain mode. You can do a status command to check.)
Open firefox and start using firefox normally.
Close forefox.
Now type in sudo logprofile
This is where it will start asking you questions. Pay attention to what it asks you.
In the end, it will ask you to save.
Your profile is still in complain mode. You need to test out your profile by putting it into enforce mode.
Open up your application and try to use it. If you are able to open it up and use it normally, then its good. (You can still refine your settings - settings are stored in /etc/apparmor.d/)
If it doesn't open or the application doesn't run well, you have 2 options:
1) Delete the profile and restart over. (I had to do this a few times)
2) Put the profile back into complain mode. Open up application and use it normally again. Close application. Do sudo logprofile. Put it back into enforce mode. Rinse and repeat.
Fellow apparmor users, please correct me if I'm wrong.
Thanks so much!!! You have no idea what I've been through trying to figure out how to make this work!!! Thank you!!
SH
Uhh, I just have one question... how can I set a default policy for all the other apps (beside stuff like firefox, my mail client, etc., which I'll set up myself) to follow? Is it enabled by default? If so, what are the rules it has?
Thank you infinitely,
SH
AFAIK I don't think there is a default policy for all programs. You have to customize each application. There are profiles online. I haven't used them myself.
Well, what apps do I need to customize. I can name Firefox, Pidgin, Thunderbird, and OpenSSH right off... others?
It depends on what programs you have. The ones that you mentioned are pretty good.
This link gives you an idea. It will probably help you better than I can.
http://developer.novell.com/wiki/ind...AppArmor_in.3F
Thanks, that helps. I read at help.ubuntu.com that for hardy, I can download the apparmor-profiles package. Will that give me a default apparmor profile for all unspecified apps?