Results 1 to 10 of 16

Thread: How to Configure Apparmor?

Hybrid View

  1. #1
    Join Date
    Feb 2008
    Location
    Oklahoma, US
    Beans
    306
    Distro
    Ubuntu Studio 10.04 Lucid Lynx

    How to Configure Apparmor?

    Ok, those of you watching all my posts, I've decided to let go of SElinux for now. In the meantime, I know Apparmor is installed by default, but what do I need to know about setting it up?

    Thanks,

    SH

  2. #2
    Join Date
    Feb 2008
    Location
    Oklahoma, US
    Beans
    306
    Distro
    Ubuntu Studio 10.04 Lucid Lynx

  3. #3
    Join Date
    Feb 2008
    Location
    Oklahoma, US
    Beans
    306
    Distro
    Ubuntu Studio 10.04 Lucid Lynx

  4. #4
    Join Date
    Sep 2006
    Beans
    56

    Re: How to Configure Apparmor?

    You weren't able to find any information on apparmor?

    Hopefully this can get you started.
    There are several commands you should get familiar with. (you will need sudo for these commands)
    /etc/init.d/apparmor start
    /etc/init.d/apparmor stop
    /etc/init.d/apparmor status
    /etc/init.d/apparmor reload

    aa-complain NameOfProfile
    aa-enforce NameOfProfile

    autodep NameOfApplication
    logprofile

    There are other commands, but I don't use them.

    start - starts apparmor.
    stop - stops apparmor.
    status - tells you how many profiles you have and what mode they are in.
    reload - reloads the profiles.
    aa-complain - puts the profile into complain mode. If something doesn't work, put it in this mode. Complain mode is like learning mode.
    aa-enforce - puts the profile into enforce mode. After you are done with your settings, put the profile in this mode.
    autodep - creates a profile and puts it into complain mode.
    logprofile - this is where you set the settings like inherit, glob, allow, deny. This is the most important part! It defines what your program can do and can't do.

    If you use the status command, it will show you that you have one profile called /usr/sbin/cupsd in enforce mode.

    What do you want to do first?
    You need to make a profile for the application you want.
    ex: autodep firefox
    (Once firefox is created, the profile will be automatically put into complain mode. You can do a status command to check.)
    Open firefox and start using firefox normally.
    Close forefox.
    Now type in sudo logprofile
    This is where it will start asking you questions. Pay attention to what it asks you.
    In the end, it will ask you to save.
    Your profile is still in complain mode. You need to test out your profile by putting it into enforce mode.
    Open up your application and try to use it. If you are able to open it up and use it normally, then its good. (You can still refine your settings - settings are stored in /etc/apparmor.d/)
    If it doesn't open or the application doesn't run well, you have 2 options:
    1) Delete the profile and restart over. (I had to do this a few times)
    2) Put the profile back into complain mode. Open up application and use it normally again. Close application. Do sudo logprofile. Put it back into enforce mode. Rinse and repeat.

    Fellow apparmor users, please correct me if I'm wrong.
    Ubuntu 12.04. 64bit. Desktop version. Gnome 3.4.1 O͜͡.O~

  5. #5
    Join Date
    Feb 2008
    Location
    Oklahoma, US
    Beans
    306
    Distro
    Ubuntu Studio 10.04 Lucid Lynx

    Re: How to Configure Apparmor?

    Thanks so much!!! You have no idea what I've been through trying to figure out how to make this work!!! Thank you!!


    SH

  6. #6
    Join Date
    Feb 2008
    Location
    Oklahoma, US
    Beans
    306
    Distro
    Ubuntu Studio 10.04 Lucid Lynx

    Re: How to Configure Apparmor?

    Uhh, I just have one question... how can I set a default policy for all the other apps (beside stuff like firefox, my mail client, etc., which I'll set up myself) to follow? Is it enabled by default? If so, what are the rules it has?

    Thank you infinitely,

    SH

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •