Re: AppArmor Support Thread
Hi. I have encountered this bit of a problem when I
user@user-desktop:~$sudo genprof
or use any of the apparmor utilities like logprof.
Can't find include file abstractions/apache2-common: No such file or directory
Before the problem arose, I downloaded apparmor-profiles from the repositories. I have them in enforce mode now except a couple. If one of the profiles are looking for abstractions/apache2-common and it's not in the /etc/apparmor.d directory should I just modify the profile? I don't run apache and don't think I will.
Can you give me a clue on which one of the profiles would include abstraction/apache2-common? Thank you.
Re: AppArmor Support Thread
I'd just use:
grep -r apache /etc/apparmor.d/
to find the offending profile
I had the same problem and fixed it that way. Think it was an apache abstraction actually
Re: AppArmor Support Thread
thank you for the tip.
I did what you said and found the reference to abstractions/apache2-common and modified the profile and saved it.
fine now.
Re: AppArmor Support Thread
Quote:
Originally Posted by
CandidMan
I'd just use:
grep -r apache /etc/apparmor.d/
to find the offending profile
I had the same problem and fixed it that way. Think it was an apache abstraction actually
Can you tell me what to do exactly?
I have the same problem and after executing the above command I get this:
Code:
arapaho@kompik ~ $ grep -r apache /etc/apparmor.d/
/etc/apparmor.d/apache2.d/phpsysinfo: #include <abstractions/apache2-common>
/etc/apparmor.d/apache2.d/phpsysinfo: /var/log/apache2/access.log w,
/etc/apparmor.d/apache2.d/phpsysinfo: /var/log/apache2/error.log w,
/etc/apparmor.d/abstractions/svn-repositories: # it is intended to be included in profiles for svnserve/apache2 and maybe
/etc/apparmor.d/abstractions/php5: /etc/php5/{conf.d,apache2,cli,fastcgi,cgi}/ r,
/etc/apparmor.d/abstractions/php5: /etc/php5/{conf.d,apache2,cli,fastcgi,cgi}/*.ini r,
Re: AppArmor Support Thread
I just deleted the line containing:
#include <abstractions/apache2-common>
I suppose that's a 'hack' but it seems to work
Re: AppArmor Support Thread
Edits - the whole thing LOL - multiple times :)
Hi and thanks for all the incredible information - there are giants in the room:twisted:
I have been slowly working though securing a laptop install of LinuxMint which is based on Ubuntu 10.10. Very similar in many ways. Draws on Ubuntu repos.
Have installed AA(though some parts built in), AA-profiles,-docs,-notify, and their deps.
I have AA profile for firefox, based on the default one which came bundled with the distro. I am pretty sure they didn't change anything from the Ubuntu 10.10 default FF profile, though I did. Slowly reading and gaining understanding.
A couple questions . . . .
[Redacted a big chunk of my post cause I need to read up and not be stupid.]
I had some difficulty getting the profile to stick.
On system restart, it was fine, but on reload or restart of AA, Firefox's profile got dropped from view (neither enforce, nor complain . . .inconsistently).
[redacted - need to gather more info to expect response]
Will report back on [redacted] my progress
Will make separate post as I am feeling ridiculous with multiple edits. :)
(Part of message redacted. I had issue with Flash not working - was me not reading posts and instructions, then not hitting save. . .<chuckle>)
All of your help (any) will be much appreciated.
You rock:guitar:
Re: AppArmor Support Thread
Ok
lets try from a fresh piece of paper, eh? :)
Still having issue with what profiles get loaded when:
#on system restart - everything cool
#on restart or reboot of AA - Firefox not in status list, must start individually
#also on AA re-up - sometimes, inconsistently, samba daemons are unconfined!?
Is this all expected/dangerous/ . . .I'm unsure! Mostly about Samba since I dont have a printer, but may one day get one.
I expect to keep it around, but . . . don't know if I should care that it's loose irregularly :confused:
Muchos gracias, dudes.
and sorry about the mess, I'm under construction. :-({|=
(cool, a smily playin fiddle)
mini
Re: AppArmor Support Thread
OK, let's see what I can do for you :)
Quote:
Originally Posted by
MiniT
I have AA profile for firefox, based on the default one which came bundled with the distro. I am pretty sure they didn't change anything from the Ubuntu 10.10 default FF profile, though I did. Slowly reading and gaining understanding.
Make sure here that you remove the usr.bin.firefox link from /etc/apparmor.d/disable/ (anything in this directory isn't loaded by AppArmor).
Quote:
Originally Posted by
MiniT
[COLOR=SeaGreen]I had some difficulty getting the profile to stick.
On system restart, it was fine, but on reload or restart of AA, Firefox's profile got dropped from view (neither enforce, nor complain . . .inconsistently).
This is odd. It should (as you expect) either load or not load and be consistent about it. Check for the link in /etc/apparmor.d/disable/ and see if there's anything interesting in your logs.
Quote:
Originally Posted by
MiniT
(Part of message redacted. I had issue with Flash not working - was me not reading posts and instructions, then not hitting save. . .<chuckle>)
Flash is silly anyway, I look forward to the day when we can all do without it :)
Quote:
Originally Posted by
MiniT
Still having issue with what profiles get loaded when:
#on system restart - everything cool
#on restart or reboot of AA - Firefox not in status list, must start individually
#also on AA re-up - sometimes, inconsistently, samba daemons are unconfined!?
Is this all expected/dangerous/ . . .I'm unsure! Mostly about Samba since I dont have a printer, but may one day get one.
I expect to keep it around, but . . . don't know if I should care that it's loose irregularly :confused:
Yea, it's bad for something to not be loaded when it should. Especially if the profile isn't in /etc/apparmor.d/disable/, it should always be loaded then. I can't recall what it does with a syntax error in the profile, but that should still be a consistent load or not load.
Re: AppArmor Support Thread
Chank you for your timely reply,much needed assistance (and forebearance)
All is well - some thoughts:
oooohhhhh.
Right, this makes perfect sense . . .
I'll put the inconsistency up to my errors of some kind. User error is usually a safe bet when things aren't consistent in some way. :)
Actually followed the Flash issue just as per directions:
tail -F /var/log/messages
in seperate term, sudo gedit /etc/apparmor.d/usr.bin.firefox
(fiddle with the goofy bits - my work - one line at a time)
freshly started FF profile, FF open to HULU.com
messages say first thing - (whine) FF gets into a special MINT flash directory! what the. . . OK, works much better now
Here's to directions :)
@jgoguen - yeah man, yeah
Re: AppArmor Support Thread
New post for orgzanitional purposes. :)
Grey area regarding permissions - requires ME reading.
What i would like a hint on is EXPLICIT versus IMPLICIT rules in profiles.
It starts with whatever permission it had before.
Tht means the firefox or transmission or samba critter may have a user account of sorts in a group of some kind - and defined limits therof.
What I don't get is why I can Save Page As . . . and see - pretty much anything. Maybe even save to most sensitive areas - by default?
Shouldn't FF be, well, less honored?
Is this the place for AA - to trim the over-reaching program?
Or is there another, more appropriate way to fence in programs' screwing with my sacred files?
Seems like it would be a long list of DENYs to trim permissions only in a AA profile - if I wanted to limit it LITERALLY to only what it asked for and needed.
What if I start iwth a profile that basically says :
audit deny / mrwkl # or anything else goshdarnit
Maybe I don't have the syntax right, but you get the idea.
In complain, it should tell me everything it needs access to, and I get to figure out if it really does or not (the hard part).
But how do I keep the blanket denial, with holes punched?
Can I basically say NO then, WELL MAYBE? What would that syntax look like?
My profile seems very relative and very reactive to outside permissions.
Is this just part of the gammit with AA? (uh-oh, the music is starting to fade - this Armor is starting to feel heavy :) )
Thank you for your help before, and in future.
again @jgoguen - yeah man:cool:
(Links and "read this, dummy" would be most helpful) peace yall