[apparmor] allowing previous denied progs
John Johansen
john.johansen at canonical.com
Tue May 27 06:46:00 UTC 2014
On 05/27/2014 08:32 AM, Hajo Locke wrote:
> Hello,
>
> we use apparmor to secure apache and restrict some paths and progs we do not want our users to execeute.
> For this reason we packaged a standardversion of our rules, which is installed on our servers. depending on servertyp we want to allow some previous denied progs by other rules which are included afterwards.
I assume you are using deny rules to provide the restriction, instead of
just relying on the policy being a white list.
> This seems to be a problem, because it seems it is not possible to allow progs which are denied in any rule. Is this true?
>
Currently if you are using an explicit deny there is not any way to
override it.
There has been some work done to make this possible but it is not
available yet.
> This is a problem for us, because we cannot deploy/update a set of standardrules by our packages and finalize the situation with handmade serverindividual rules, which are included at the finish. What shall we do in this situation?
>
Is it possible to deploy your base policy as a white list with out the
deny rules? Basically only specifying what is allowed, with the denied
programs, being denied by not having a rule allowing them?
More information about the AppArmor
mailing list