LinuxQuestions.org - Does apparmor make all the profiles you need?

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Does apparmor make all the profiles you need? (https://www.linuxquestions.org/questions/linux-security-4/does-apparmor-make-all-the-profiles-you-need-4175679068/)

Does apparmor make all the profiles you need?

I just installed apparmor and none of the tutorials I can find mentioned when you need to make your own profiles. Does apparmor automatically make profiles for all programs you install?

Not apparmor, but the package you install should create the profile. Whether this is done depends on the package, I guess, but distros where apparmor is the default, like Suse, are likely to add apparmor code to packages' postinstall scripts.

There should be two utilities your version of Apparmor comes with, aa-genprof and aa-logprof. Run them in that order while paying attention to the instructions on the terminal and you should have at least a good starting point if you need any more profiles than what your download manager gives.

It doesn't make any profiles, though it might load a few that have been packaged with it. The AppArmor package does contain at least a few profiles for some other programs. However, the ones I have looked at are mostly far too loose to be of much benefit. So it will most likely be the case that you must also replace the few exisiting profiles which were provided for you in addition to creating wholly new ones. The good news is that after the second or third profile, they are rather quick to develop as by then you've kind of figured out how its done along with the intersection of what it can do with what you actually want it to do.

Note that AppArmor restrictions only apply to the filesystem. The networking is still all or nothing and not capabile of limiting access to specific protocols (either networking or application layer) or, for that matter, even port numbers.

Is it worth the trouble to learn selinux or should I stick with this? There are 47 profiles preloaded in enforce mode. I'm using arch linux with the hardened kernel. Like Rick. Do you mean use aa-genprof and aa-logprof on every program? It says it needs a specific program for the command. Should MAC even be applied to networking? I thought the point was guarding files from being tampered with. If you care to know the profiles, here is the output:

Code:

[user@Computer ~]$ sudo aa-status

[sudo] password for user: 

apparmor module is loaded.

47 profiles are loaded.

47 profiles are in enforce mode.

  /usr/lib/apache2/mpm-prefork/apache2

  /usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI

  /usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT

  /usr/lib/apache2/mpm-prefork/apache2//phpsysinfo

  /usr/lib/dovecot/anvil

  /usr/lib/dovecot/auth

  /usr/lib/dovecot/config

  /usr/lib/dovecot/deliver

  /usr/lib/dovecot/dict

  /usr/lib/dovecot/dovecot-auth

  /usr/lib/dovecot/dovecot-lda

  /usr/lib/dovecot/dovecot-lda//sendmail

  /usr/lib/dovecot/imap

  /usr/lib/dovecot/imap-login

  /usr/lib/dovecot/lmtp

  /usr/lib/dovecot/log

  /usr/lib/dovecot/managesieve

  /usr/lib/dovecot/managesieve-login

  /usr/lib/dovecot/pop3

  /usr/lib/dovecot/pop3-login

  /usr/lib/dovecot/ssl-params

  /usr/lib/dovecot/stats

  /usr/sbin/dnsmasq

  /usr/sbin/dnsmasq//libvirt_leaseshelper

  apache2

  apache2//DEFAULT_URI

  apache2//HANDLING_UNTRUSTED_INPUT

  apache2//phpsysinfo

  avahi-daemon

  dovecot

  identd

  klogd

  lsb_release

  mdnsd

  nmbd

  nscd

  ntpd

  nvidia_modprobe

  nvidia_modprobe//kmod

  ping

  smbd

  smbldap-useradd

  smbldap-useradd///etc/init.d/nscd

  syslog-ng

  syslogd

  traceroute

  winbindd

0 profiles are in complain mode.

0 processes have profiles defined.

0 processes are in enforce mode.

0 processes are in complain mode.

0 processes are unconfined but have a profile defined.

Thanks

Thanks. The names of the profiles are not as relevant as to how they actually limit access for said packages.

Which packages are you most concerned about?

I'm using SELinux on Arch, so I can't quite tell you what Apparmor should be doing with it, however I do know that what you're seeing in aa-status is normal. Apparmor is more specifically designed for network connections whereas SELinux would protect all labeled files (the filesystem) in itself. It's designed for a higher degree of convenience while applying targeted security improvements.

I wouldn't use those two commands on every program unless you feel like creating a single profile for every one. Even for Java alone, which I do end up using for Maven and BurpSuite, the time spent on that is high enough to make me use aa-complain in a good chunk of cases.