Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I just installed apparmor and none of the tutorials I can find mentioned when you need to make your own profiles. Does apparmor automatically make profiles for all programs you install?
Not apparmor, but the package you install should create the profile. Whether this is done depends on the package, I guess, but distros where apparmor is the default, like Suse, are likely to add apparmor code to packages' postinstall scripts.
There should be two utilities your version of Apparmor comes with, aa-genprof and aa-logprof. Run them in that order while paying attention to the instructions on the terminal and you should have at least a good starting point if you need any more profiles than what your download manager gives.
It doesn't make any profiles, though it might load a few that have been packaged with it. The AppArmor package does contain at least a few profiles for some other programs. However, the ones I have looked at are mostly far too loose to be of much benefit. So it will most likely be the case that you must also replace the few exisiting profiles which were provided for you in addition to creating wholly new ones. The good news is that after the second or third profile, they are rather quick to develop as by then you've kind of figured out how its done along with the intersection of what it can do with what you actually want it to do.
Note that AppArmor restrictions only apply to the filesystem. The networking is still all or nothing and not capabile of limiting access to specific protocols (either networking or application layer) or, for that matter, even port numbers.
Is it worth the trouble to learn selinux or should I stick with this? There are 47 profiles preloaded in enforce mode. I'm using arch linux with the hardened kernel. Like Rick. Do you mean use aa-genprof and aa-logprof on every program? It says it needs a specific program for the command. Should MAC even be applied to networking? I thought the point was guarding files from being tampered with. If you care to know the profiles, here is the output:
Code:
[user@Computer ~]$ sudo aa-status
[sudo] password for user:
apparmor module is loaded.
47 profiles are loaded.
47 profiles are in enforce mode.
/usr/lib/apache2/mpm-prefork/apache2
/usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI
/usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT
/usr/lib/apache2/mpm-prefork/apache2//phpsysinfo
/usr/lib/dovecot/anvil
/usr/lib/dovecot/auth
/usr/lib/dovecot/config
/usr/lib/dovecot/deliver
/usr/lib/dovecot/dict
/usr/lib/dovecot/dovecot-auth
/usr/lib/dovecot/dovecot-lda
/usr/lib/dovecot/dovecot-lda//sendmail
/usr/lib/dovecot/imap
/usr/lib/dovecot/imap-login
/usr/lib/dovecot/lmtp
/usr/lib/dovecot/log
/usr/lib/dovecot/managesieve
/usr/lib/dovecot/managesieve-login
/usr/lib/dovecot/pop3
/usr/lib/dovecot/pop3-login
/usr/lib/dovecot/ssl-params
/usr/lib/dovecot/stats
/usr/sbin/dnsmasq
/usr/sbin/dnsmasq//libvirt_leaseshelper
apache2
apache2//DEFAULT_URI
apache2//HANDLING_UNTRUSTED_INPUT
apache2//phpsysinfo
avahi-daemon
dovecot
identd
klogd
lsb_release
mdnsd
nmbd
nscd
ntpd
nvidia_modprobe
nvidia_modprobe//kmod
ping
smbd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
syslog-ng
syslogd
traceroute
winbindd
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
I'm using SELinux on Arch, so I can't quite tell you what Apparmor should be doing with it, however I do know that what you're seeing in aa-status is normal. Apparmor is more specifically designed for network connections whereas SELinux would protect all labeled files (the filesystem) in itself. It's designed for a higher degree of convenience while applying targeted security improvements.
I wouldn't use those two commands on every program unless you feel like creating a single profile for every one. Even for Java alone, which I do end up using for Maven and BurpSuite, the time spent on that is high enough to make me use aa-complain in a good chunk of cases.
Last edited by RickDeckard; 07-25-2020 at 10:41 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
