[apparmor] apache2 profile update

Simon Deziel simon.deziel at gmail.com
Mon Sep 8 21:46:49 UTC 2014


On 09/08/2014 05:27 PM, Jamie Strandboge wrote:
> Index: apparmor-2.8.96~2652/profiles/apparmor.d/usr.sbin.apache2
> ===================================================================
> --- apparmor-2.8.96~2652.orig/profiles/apparmor.d/usr.sbin.apache2
> +++ apparmor-2.8.96~2652/profiles/apparmor.d/usr.sbin.apache2
> @@ -53,13 +53,20 @@
>    # 2- Enable the main apache2 profile
>    #    sudo aa-enforce /etc/apparmor.d/usr.sbin.apache2
>    #
> -  # 3- Configure apache with the following:
> +  # 3- Configure apache with the following (or similar):
> +  #    Alias /phpsysinfo /usr/share/phpsysinfo
> +  #    <Location /phpsysinfo>
> +  #        <IfModule mod_apparmor.c>
> +  #          AAHatName phpsysinfo
> +  #        </IfModule>
>    #
> -  #        <Directory /var/www/phpsysinfo/>
> -  #            <IfModule mod_apparmor.c>
> -  #                AAHatName phpsysinfo
> -  #            </IfModule>
> -  #        </Directory>
> +  #        # adjust as necessary:
> +  #        Options None
> +  #        Order allow,deny
> +  #        Allow from localhost 127.0.0.0/8 ::1
> +  #        Allow from 192.168.0.0/16
> +  #        # Allow from All

Just a minor nitpick: the "Order", "Allow from" and "Allow from All"
should IMHO be replaced by the newer directives:

  Require local
  Require ip 192.168.0.0/16

This avoids a dependency on the access_compat.so module (even if it's in
Ubuntu's default).

Regards,
Simon



More information about the AppArmor mailing list