Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: How to Configure Apparmor?

  1. #1
    Join Date
    Feb 2008
    Location
    Oklahoma, US
    Beans
    306
    Distro
    Ubuntu Studio 10.04 Lucid Lynx

    How to Configure Apparmor?

    Ok, those of you watching all my posts, I've decided to let go of SElinux for now. In the meantime, I know Apparmor is installed by default, but what do I need to know about setting it up?

    Thanks,

    SH

  2. #2
    Join Date
    Feb 2008
    Location
    Oklahoma, US
    Beans
    306
    Distro
    Ubuntu Studio 10.04 Lucid Lynx

  3. #3
    Join Date
    Feb 2008
    Location
    Oklahoma, US
    Beans
    306
    Distro
    Ubuntu Studio 10.04 Lucid Lynx

  4. #4
    Join Date
    Sep 2006
    Beans
    56

    Re: How to Configure Apparmor?

    You weren't able to find any information on apparmor?

    Hopefully this can get you started.
    There are several commands you should get familiar with. (you will need sudo for these commands)
    /etc/init.d/apparmor start
    /etc/init.d/apparmor stop
    /etc/init.d/apparmor status
    /etc/init.d/apparmor reload

    aa-complain NameOfProfile
    aa-enforce NameOfProfile

    autodep NameOfApplication
    logprofile

    There are other commands, but I don't use them.

    start - starts apparmor.
    stop - stops apparmor.
    status - tells you how many profiles you have and what mode they are in.
    reload - reloads the profiles.
    aa-complain - puts the profile into complain mode. If something doesn't work, put it in this mode. Complain mode is like learning mode.
    aa-enforce - puts the profile into enforce mode. After you are done with your settings, put the profile in this mode.
    autodep - creates a profile and puts it into complain mode.
    logprofile - this is where you set the settings like inherit, glob, allow, deny. This is the most important part! It defines what your program can do and can't do.

    If you use the status command, it will show you that you have one profile called /usr/sbin/cupsd in enforce mode.

    What do you want to do first?
    You need to make a profile for the application you want.
    ex: autodep firefox
    (Once firefox is created, the profile will be automatically put into complain mode. You can do a status command to check.)
    Open firefox and start using firefox normally.
    Close forefox.
    Now type in sudo logprofile
    This is where it will start asking you questions. Pay attention to what it asks you.
    In the end, it will ask you to save.
    Your profile is still in complain mode. You need to test out your profile by putting it into enforce mode.
    Open up your application and try to use it. If you are able to open it up and use it normally, then its good. (You can still refine your settings - settings are stored in /etc/apparmor.d/)
    If it doesn't open or the application doesn't run well, you have 2 options:
    1) Delete the profile and restart over. (I had to do this a few times)
    2) Put the profile back into complain mode. Open up application and use it normally again. Close application. Do sudo logprofile. Put it back into enforce mode. Rinse and repeat.

    Fellow apparmor users, please correct me if I'm wrong.
    Ubuntu 12.04. 64bit. Desktop version. Gnome 3.4.1 O͜͡.O~

  5. #5
    Join Date
    Feb 2008
    Location
    Oklahoma, US
    Beans
    306
    Distro
    Ubuntu Studio 10.04 Lucid Lynx

    Re: How to Configure Apparmor?

    Thanks so much!!! You have no idea what I've been through trying to figure out how to make this work!!! Thank you!!


    SH

  6. #6
    Join Date
    Feb 2008
    Location
    Oklahoma, US
    Beans
    306
    Distro
    Ubuntu Studio 10.04 Lucid Lynx

    Re: How to Configure Apparmor?

    Uhh, I just have one question... how can I set a default policy for all the other apps (beside stuff like firefox, my mail client, etc., which I'll set up myself) to follow? Is it enabled by default? If so, what are the rules it has?

    Thank you infinitely,

    SH

  7. #7
    Join Date
    Sep 2006
    Beans
    56

    Re: How to Configure Apparmor?

    AFAIK I don't think there is a default policy for all programs. You have to customize each application. There are profiles online. I haven't used them myself.
    Ubuntu 12.04. 64bit. Desktop version. Gnome 3.4.1 O͜͡.O~

  8. #8
    Join Date
    Feb 2008
    Location
    Oklahoma, US
    Beans
    306
    Distro
    Ubuntu Studio 10.04 Lucid Lynx

    Re: How to Configure Apparmor?

    Well, what apps do I need to customize. I can name Firefox, Pidgin, Thunderbird, and OpenSSH right off... others?

  9. #9
    Join Date
    Sep 2006
    Beans
    56

    Re: How to Configure Apparmor?

    It depends on what programs you have. The ones that you mentioned are pretty good.
    This link gives you an idea. It will probably help you better than I can.
    http://developer.novell.com/wiki/ind...AppArmor_in.3F
    Ubuntu 12.04. 64bit. Desktop version. Gnome 3.4.1 O͜͡.O~

  10. #10
    Join Date
    Feb 2008
    Location
    Oklahoma, US
    Beans
    306
    Distro
    Ubuntu Studio 10.04 Lucid Lynx

    Re: How to Configure Apparmor?

    Thanks, that helps. I read at help.ubuntu.com that for hardy, I can download the apparmor-profiles package. Will that give me a default apparmor profile for all unspecified apps?

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •