Share your AppArmor Profiles

[bodhi.zazen]

Thanks, bodhi.zazen. Here's the complete output:

Well, you are in quite a tizzy I see.

You really need to start over.

1. Stop firefox.

2. Reload apparmor

Code:

sudo service apparmor stop
sudo service apparmor start

That will clear out all those null profiles.

3. You need to understand what you are doing as I think you are missing the point. As I keep telling you, a null profile is generated when the apparmor denies execute access to something.

In complain mode, access is allowed, but the process is then named null something. For example, you have a long list,

/usr/lib/firefox-3.6.5pre/firefox-*bin//null-24

See the null-24 ?

Apparmor will generate a denial for everything "/usr/lib/firefox-3.6.5pre/firefox-*bin//null-24" tries to access.

You do not debug "/usr/lib/firefox-3.6.5pre/firefox-*bin//null-24" , you fix the initial denial that caused "/usr/lib/firefox-3.6.5pre/firefox-*bin//null-24" to be created.

So you have to look up in your logs to the last denial that does not contain a "null". Fix that denial, and the nulls will go away.

This elaborate procedure is to "help" debugging apparmor profiles, but in practice, it is of little help at all, and as you can see, causes more confusion.

You do not "debug" anything with a "//null-xx" in the name, you have to debug the initial denial that caused the null.

As with previous posts, you are not posting the initial denial. Your posts keep getting longer, but I do not think you understand what to look for.

Please:

1. Do not post long logs like that. They do not help and only clutter your posts.

2. Do not post any log message that contains a null profile. They clutter your post and do not help at all.


Now, open a terminal. Enter:

Code:

tail -F /var/log/messages

Watch this terminal for errors.

With your firefox apparmor in complain mode, open firefox. If firefox is not working, apparmor is not the problem -> go debug firefox or whatever addon or plugin that is broken.

If firefox works, close firefox, and debug any denials you received in the "tail -F /var/log/messages" terminal.

Keep repeating until you have managed all the denials.

Then put the firefox profile into enforcing mode and try to start firefox.

Post any denial you do not understand, but do not post any denial with a null profile in it.

[tlu]

Thanks for your detailed response!

1. Stop firefox.

2. Reload apparmor

Code:

sudo service apparmor stop
sudo service apparmor start

Done.

So you have to look up in your logs to the last denial that does not contain a "null". Fix that denial, and the nulls will go away.
...

If firefox works, close firefox, and debug any denials you received in the "tail -F /var/log/messages" terminal.

In complain mode I didn't get any log entry without the "null".

Then put the firefox profile into enforcing mode and try to start firefox.

Post any denial you do not understand, but do not post any denial with a null profile in it.

After switching to enforce mode I got the following log (now without the "null"):

Code:

May 29 12:25:16 HANNIBAL kernel: [ 1587.419979] __ratelimit: 171 callbacks suppressed
May 29 12:25:16 HANNIBAL kernel: [ 1587.419981] type=1505 audit(1275128716.952:375):  operation="profile_replace" pid=4012 name="/usr/lib/firefox-3.6.5pre/firefox-*bin"
May 29 12:25:16 HANNIBAL kernel: [ 1587.420171] type=1505 audit(1275128716.956:376):  operation="profile_replace" pid=4012 name="/usr/lib/firefox-3.6.5pre/firefox-*bin//firefox_java"
May 29 12:25:16 HANNIBAL kernel: [ 1587.420302] type=1505 audit(1275128716.956:377):  operation="profile_replace" pid=4012 name="/usr/lib/firefox-3.6.5pre/firefox-*bin//firefox_openjdk"
May 29 12:25:48 HANNIBAL kernel: [ 1619.060824] type=1503 audit(1275128748.596:378):  operation="exec" pid=4037 parent=4036 profile="/usr/lib/firefox-3.6.5pre/firefox-*bin" requested_mask="x::" denied_mask="x::" fsuid=1000 ouid=1000 name="/home/tlu/tmp/flashgot.ho87hudj.Default_20User/flashgot.fgt"

[bodhi.zazen]

THAT'S IT !!!!

May 29 12:25:48 HANNIBAL kernel: [ 1619.060824] type=1503 audit(1275128748.596:378): operation="exec" pid=4037 parent=4036 profile="/usr/lib/firefox-3.6.5pre/firefox-*bin" requested_mask="x::" denied_mask="x::" fsuid=1000 ouid=1000 name="/home/tlu/tmp/flashgot.ho87hudj.Default_20User/flashgot.fgt"

You need to allow execution of flashgot, add this:

Code:

owner @{HOME}/tul/tmp/flashgot.*/flashgot* rix,

restart apparmor ...

Try to start firefox again. See if there are additional denials (there may well be) and fix those as well.

It is possible the "flashgot.*" may need to be slightly adjusted, perhaps

@{HOME}/tul/tmp/flashgot.*.*/* rix,

Or you may need to add m or k

Watch the logs ...

[tlu]

THAT'S IT !!!!

Yes, indeed, it is!

You need to allow execution of flashgot, add this:

Code:

owner @{HOME}/tul/tmp/flashgot.*/flashgot* rix,

I added that (without the /tul - obviously a typo of yours ) and that fixes the problem. No more denials.

Thanks a lot, bodhi.zazen !

[bodhi.zazen]

Alrighty then, hope you learned a little about apparmor

[q.dinar]

hello
there is AppArmor Support Thread
you should write such support discussion there, i think.

[cprofitt]

Very nice thread -- is there a good guide you guys can point to in regards to setting up profiles.

[bodhi.zazen]

Very nice thread -- is there a good guide you guys can point to in regards to setting up profiles.

http://www.linuxtopia.org/online_boo...ide/index.html

It has much SUSE specific content, which can be ignored with impunity.

It is incomplete in some areas, especially how to debug profiles.

But it is the best single guide I know, from there, as with all things, it come with use.

If you use apparmor it takes about 2-3 hours of time for it to all click (hint toggle between complain and enforce mode, "tail -F /var/log/messages").

[BkkBonanza]

@Bodhi,

I tried out a couple profiles from your site's repo. Wireshark and Skype. I think Wireshark worked well except a minor change for usb devices ("/dev/usbmon? r," if you even use it for watching usb traffic).

But Skype has changed a fair bit since that one was created. This nasty program wants to get to all sorts of system info and you can't enforce against it without the program not starting. I ended up enabling the things it wanted.

The one thing I wanted to ask about is why it wants "m" access to the /etc/passwd file. I know the passwords aren't stored there now but I'm just curious what use it has for looking at the "accounts list" and related info.

Along with denying access to the /var/lib/dbus/machine-id file, I'd much prefer it not look at those files. But that doesn't appear to be an usable option.

Anyway, I updated my own copy of the skype profile to work with 10.4 and Skype 2.1 and if anyone wants it I could post it here.

[bodhi.zazen]

It is amazing what some of these applications access !!!

Aye, those profiles are "templates" to get started, glad you found them helpful.