Page 18 of 19 FirstFirst ... 816171819 LastLast
Results 171 to 180 of 185

Thread: AppArmor Support Thread

  1. #171
    Join Date
    Apr 2011
    Beans
    23

    Re: AppArmor Support Thread

    Ah . . HAAHH! made it work. (tranny profile from above).

    I am not absolutely sure of the meaning of the newer execute permissions. (Known - mrkwl + a. Got - ix, px, Px, ux, Ux.) But what does PUx and other combos do?

    EDIT: RE: "PUx, etc." see my post further down, found some explanation in dev mailing list

    RE: the transmission profile - I made something work.
    The long way round - used logprof to fiddle with stuff and don't dig it, but that's another story.
    One of it's suggestions to fix my Transmission profile was to include a ubuntu-bittorrent-client abstraction - nope. But hat has the execute line I needed for Firefox to call up (execute) Transmission, to open a magnet link or torrent file. Thought there was a problem with the trans. profile, looking in the wrong place: LOL.

    So "r" is obvious, and documented, but "PUx" is another matter . . . ? see later post
    Seems like - use an existing profile, scrub environment, but also don't confine.. . ? Could use a shove in the right direction here, boss. Doesn't seem to be documented yet (where I'm looking ), though I see many signs of new growth.

    As always, thanks and peaceful days to you.
    You'ns rock.

    --------------------------------------------------------------------

    Looking forward to posting a few profiles for new versions of progs.
    I can be proud of myself even if nobody uses them - hehe.
    Last edited by MiniT; August 23rd, 2011 at 11:31 PM. Reason: mhmm, yup, tha's right m'friend. now, what was I doing . . ? . .

  2. #172
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: AppArmor Support Thread

    Quote Originally Posted by MiniT View Post
    Ah . . HAAHH! made it work. (tranny profile from above).

    I am not absolutely sure of the meaning of the newer execute permissions. (Known - mrkwl + a. Got - ix, px, Px, ux, Ux.) But what does PUx and other combos do?

    RE: the transmission profile - I made something work.
    The long way round - used logprof to fiddle with stuff and don't dig it, but that's another story.
    One of it's suggestions to fix my Transmission profile was to include a ubuntu-bittorrent-client abstraction - nope. But hat has the execute line I needed for Firefox to call up (execute) Transmission, to open a magnet link or torrent file. Thought there was a problem with the trans. profile, looking in the wrong place: LOL.

    So "r" is obvious, and documented, but "PUx" is another matter . . . ?
    Seems like - use an existing profile, scrub environment, but also don't confine.. . ? Could use a shove in the right direction here, boss. Doesn't seem to be documented yet (where I'm looking ), though I see many signs of new growth.

    As always, thanks and peaceful days to you.
    You'ns rock.

    --------------------------------------------------------------------

    Looking forward to posting a few profiles for new versions of progs.
    I can be proud of myself even if nobody uses them - hehe.
    The documentation on apparmor is hard to find sometimes.

    See the bottom section on this page :

    http://www.linuxtopia.org/online_boo...r_bx5bmkc.html
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  3. #173
    Join Date
    Apr 2011
    Beans
    23

    Re: AppArmor Support Thread

    Yes! An excellent explanation.
    Here is why I ask.

    Edit: Found an answer in archive of dev mailing list - hopefully helpful.
    https://lists.ubuntu.com/archives/apparmor/2011-April/

    I have seen Pxr, pxr, rix, et al.
    But in ubuntu-bittorrent-clients file (abstraction), I found this!
    Code:
    #
    # abstraction for allowing graphical bittorrent clients in Ubuntu
    #
      /usr/bin/azureus PUxr,
        . . .
      /usr/bin/transmission PUxr,
    In fact, almost all progs listed in the default abstractions I have are called this way.
    From the linuxtopia page you linked, in reference to "px":
    Incompatible with Ux, ux, Px, and ix.
    Each of these five is incompatible with the others,
    and assuming that the abstraction's rules are written "legally", apparently so
    I must deduce this:
    # PUxr = (Pxr OR Uxr is allowed)
    # If there is a profile it MUST be used.
    # If there is not a profile, let [BT client] run unconfined.
    # Either way, scrub the environment variables.

    RE: environment variables - apparently the first bit, P of Pux, sets whether env. vars are kept or not. Not 100% if this is still the case.

    PLEASE do set me straight if I've strayed there.

    Doesn't it make sense to get rid of the "U"s there?
    Surely in the case of torrent clients or other net facing executables?
    Is that probably another case of permissiveness built in?
    I can appreciate the desire not to restrict an end user's (someone else's) program functionality while they work on local authoring. But I prefer to break my toys, only to put them back together stronger.
    (In fact, I am gaining great respect for Jamie and others who's names are all over the profiles in my apparmor profiles pkg.)

    Again, please set me straight if you would.

    As always thank you kindly,
    and . . .
    you rock!
    --------------------------------------------------------------
    LinuxMint10 Julia (pretty clone of Ubuntu 10.10)
    AppArmor version 2.5.1
    Last edited by MiniT; August 23rd, 2011 at 11:58 PM. Reason: credit where credit's due + Found Something!

  4. #174
    Join Date
    Apr 2011
    Beans
    23

    Re: AppArmor Support Thread

    Another post because I din't ask very well a while ago.
    When I see this:
    Code:
    Aug 21 10:46:52 mini1012 kernel: [ 2682.813007] type=1400 audit(1313938012.696:49): apparmor="DENIED" operation="file_mprotect" parent=1 profile="/usr/bin/transmission" name="/usr/bin/transmission" pid=2905 comm="transmission" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    How would you go from that to a rule?
    Does it require more information?
    I guessed well, basically, and the fix worked. (To open magnet link with transmission, FF needs permission to run Transmission.)
    But no idea what the connection between message line(above) and my fix!?

    Sometimes the log lines say, forgive the shorthand, "DENYed" - "/directory/file"
    and it's obvious what to correct for simple file access.
    This is much less obvious.

    Is this a case for logprof? I don't like her so much, but . . .
    It would be better if I can crawl into the machine a bit and understand why she is telling me these off-the-wall suggestions.

    If only I could go from the code in log messages to human, preferably English.

    As always, I am grateful for the guidance
    MiniT
    --------------------------------------------------------------
    LinuxMint10 Julia (pretty clone of Ubuntu 10.10)
    AppArmor version 2.5.1
    Last edited by MiniT; August 24th, 2011 at 12:08 AM. Reason: per usual

  5. #175
    Join Date
    Aug 2011
    Beans
    1

    Re: AppArmor Support Thread

    Hello - I've just started using apparmor and it's driving me mad - I hope someone can help.
    I'm running ubuntu 11.04 and have created a profile for apache2. The profile is called /etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2. I ran the profile in complain mode for a bit - did a bit of surfing on the web etc and then ran sudo aa-logprof. I could see that my profile was updated. I then set the profile to enforce. All looked good until I tried to restart apache - the stop and start failed. In /var/log/syslog I could see a couple of denied messages so I put profile back into complain mode, stopped and started apache (which ran fine) and then ran aa-logprof again. Put profile back in enforce mode and same issue - could n't stop and start apache.

    So I manually added the files in was complaining about to the profile and then ran the command sudo apparmor_parser -r /etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2.
    I tried the apache restart again and it failed - this time syslogs showed different files. I've been manually adding to the profile for nearly an hour now.

    Anyone had this problem where complain mode doesn;t fully update the profile - or am I doing something wrong?

    Thanks

    Pete

  6. #176
    Join Date
    Feb 2005
    Location
    ${HOME}
    Beans
    Hidden!

    Re: AppArmor Support Thread

    Apache is a web server, so just browsing the Internet won't give you a proper profile for Apache. You need to exercise your own server, not other people's servers. Things like loading pages from your own server, making it execute scripts and anything else you expect it to be doing during its normal operation.

    That said, I also look at aa-logprof as a way to generate a starting profile. It doesn't (in my opinion) tend to give you a profile that can be used as-is; you still need to go through the generated profile and clean it up. Usually, that means taking an educated guess about which profile entries can be removed, loosened up or tightened and reading the logs when things don't work right to see what you should add to your profile. It's very rare that you could take software as complex as Apache and right away get a perfectly working profile with aa-logprof.

    In general, you should start with less complicated programs and generate good profiles for them before attempting something as complex as Apache. Try starting with Empathy or Evince (which has a profile in /etc/apparmor.d/ already, so you could refer to that to start) first and then move to more complex software. Firefox is an example of one that can take a bit to get right and is rarely customized the same way by many people. Apache adds an additional layer of complexity by allowing you to load mod_apparmor and take advantage of AppArmor's concept of "hats"; see http://wiki.apparmor.net/index.php/Mod_apparmor for a good starting point.

    Once you've had some time to investigate other profiles and tweak your generated Apache profile, if you're still having problems please feel free to post your profile here (enclosed in code tags) and I'm sure the great group of people around here would be happy to help you move along.
    Joel Goguen

  7. #177
    Join Date
    Oct 2011
    Beans
    92

    Re: AppArmor Support Thread

    I have written a profile for firefox that seems to work (although it is probably a little lax at this stage)

    One thing I am slightly confused about is "rix" against executables, I know ix means inherit parents profile and r means read only, but why would not just ix?

    Another thing I keep seeing in the logs is "/run/shm/pulse-shm-3405496852" where the number at the end changes, and read access is requested. I haven't allowed this and all seems to work, but I am curious as to what it wants as it is cluttering the logs.

    Finally in order to read a pdf in firefox with adobe I had to add:
    /usr/bin/dirname rix,
    /usr/bin/test rix,
    /bin/sed rix,
    /usr/bin/expr rix,
    /bin/pwd rix,
    /usr/bin/cut rix,
    /bin/cat rix,
    /bin/uname rix,
    /bin/rm rix,
    /bin/mkdir rix,
    /bin/cp rix,
    Is this normal that it would need all these functions?

    Thanks

  8. #178
    Join Date
    Apr 2011
    Beans
    23

    Re: AppArmor Support Thread

    hey there Azrael

    I just got a new system set up and haven't had time to look through AppArmor files for a few.
    If any of the below is elementary or more basic than you're asking for, please pardon since I don't know what level you are at - and I'm hardly Master at this - just friendly.

    Seems you have another issue besides what you are asking for.
    As the heavyweights in the Ubuntu security area will tell you, Firefox is not an easy one to start with. They will encourage you to start with something much less connected and simpler.

    I also started with the Firefox - to my chagrin.
    Here is the way I approached, so you can save some misery trying to do it from scratch:
    There are profiles posted in another thread here from folks with more experience. Read through them and read through al the info you can find on how this AppArmor thing works - and you'll be able to decide what needs to be tweaked. See endof post for helpful links.
    It is safe to start with the default profiles that are part of a package (called AppArmor profiles? maybe? No remember).
    The default profiles are pretty open, but safer than NO App Armor was!
    Set to complain, watch logs, try to connect what you do at one second and what the log says. For instance, see what the log says when you open the PDF from in Firefox.
    Nothing? Then no rule violation. Is that OK with you? Do you maybe want a rule that says Firefox can't open PDFs from your Documents folder? You can write a rule that Denies that.

    Executes are a little more tricky. Definitely requires much study, on your part.
    Please see some friendly links at end of post.

    I remember Adobe causing an extra wrinkle in this profile business.
    As long as it is acting as an addon, it is within your Firefox AppArmor profile and rules for its actions fall within that. When Firefox calls up a seperate binary or program on your filesystem, then tell it to inherit profile, or write a new one for it.

    SO, long story short . . .

    The best info to give if you want a good guidance about your issue, is to attach or somehow post your profile here, then describe or also post the part of the log that is troubling you. For instance, what led you to believe you have to give those permissions? Did /var/log/messages contain an apparmor line that you interpreted as saying you had to give that permission?

    Hopefully some of this was helpful at least?
    Goodluck and try these!
    Be careful of accuracy, check details at two sources if possible.

    mini

    in no particular order
    Mandatory access control - Wikipedia, the free encyclopedia
    Securing Debian Manual
    [ubuntu] AppArmor enforce program without logging - Ubuntu Forums
    Main Page - AppArmor
    AppArmor Detail - openSUSE
    SDB:AppArmor geeks - openSUSE
    [all variants] Introduction to AppArmor - Ubuntu Forums
    [SOLVED] Help debugging apparmor profile - Ubuntu Forums
    [all variants] Share your AppArmor Profiles - Page 10 - Ubuntu Forums
    AppArmor - Community Ubuntu Documentation
    AppArmor - Ubuntu Wiki
    [SOLVED] How to test that Apparmor is working? - Page 2 - Ubuntu Forums
    http://bodhizazen.net/aa-profiles/bo...sr.bin.firefox
    linuxtopia.org

  9. #179
    Join Date
    Apr 2011
    Beans
    23

    Re: AppArmor Support Thread

    @Azrael-

    BTW - pulse is almost certainly PulseAudio (pulsecookies?) so it is just your audio abstraction. Is this being denied? Or is your complaining profile saying something, so it would deny if enforced? You will want to find out why that is not allowed - maybe allow so when enforced profile - you don't lose sounds! I don't think its serious at all.

    And another thought on your list of permissions:
    Did you have acopy of the default profile from the developers - the one that comes as part fo the package - to compare to? There might be a mistake in yur tweked version, a deleted line? Also check to make sure you are INCLUDing all you should be. Those default files save a TON of work. Yea developers, you guys rock!!!!

    good luck - only trying to help
    mini

  10. #180
    Join Date
    Dec 2007
    Beans
    12,521

    Re: AppArmor Support Thread

    I'm quite new to Linux (despite the date I joined the forum).
    I'm on Ubuntu 11.10 and am trying to learn to get AppArmor going with Firefox 7.
    To that end, I've installed apparmor-notify and auditd from USC.
    Since the Firefox profile supplied with the 11.10 installation doesn't run by default, I ran
    Code:
    sudo aa-enforce /etc/apparmor.d/usr.bin.firefox
    On examining /var/log/audit/audit.log, the only "denied" message I saw was like this:
    Code:
    type=AVC msg=audit(1320823528.107:31): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}" name="/proc/4540/statm" pid=4540 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
    I then modified /etc/apparmor.d/local/usr.bin.firefox to look like this:
    Code:
    # Site-specific additions and overrides for usr.bin.firefox.
    # For more details, please see /etc/apparmor.d/local/README.
    /proc/*/statm r,
    I then ran
    Code:
    sudo aa-enforce /etc/apparmor.d/usr.bin.firefox
    Now, I do not see anymore "denied" messages in the audit.log.

    My question is this: have other people seen the same type of "denied" message when confining Firefox and using the default profile? If they have, how did they deal with it? If the rule I used is the way to go, will the devs consider incorporating it in the main profile (/etc/apparmor.d/usr.bin.firefox) so that the profile is more usable out of the box?

    Needless to say, with the current profile I checked that I can use Firefox, my extensions (Stylish, DOM Inspector, DownThemAll, SimpleBlock) and plug-ins (Flash and IcedTea) without any problems.

Page 18 of 19 FirstFirst ... 816171819 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •