[apparmor] Problems with apparmor and django application
John Johansen
john.johansen at canonical.com
Wed Feb 11 23:59:20 UTC 2015
On 02/11/2015 02:26 PM, Sumit Khanna wrote:
> I'm currently in the process of creating an apparmor profile for a
> django application my company developed for a client. I've run into some
> permission issues I can't seem to fix. I've been banging my head on this
> for quite some time. The issue has to do with django being able to read
> its site settings files. As far as I can tell, all the correct
> permission exist in the apparmor profile.
>
> I've posted a full description of the problem on StackOverflow:
> http://stackoverflow.com/questions/28445438/loading-django-applications-setting-under-an-apparmor-profile
>
So this has to do with how apparmor handles directory permissions
Basically you need to add to your profile, the rule
/usr/local/lib/python2.7/site-packages/ r,
AppArmor allows for a bypass of the dac x (dir walk permission), but requires
read access to a directory to examine or list its files.
This means you can do a direct lookup of a file
open("/foo/bar", r);
without needing permissions to read the directory of /foo/
but to do
ls /foo/
you would need read permissions on the directory.
The apparmor permissions you do have in your profile allow for the following
accesses.
/usr/local/lib/python2.7/dist-packages/**/ rm, #Any dir under /usr/local/lib/python2.7/dist-packages/ but not /usr/local/lib/python2.7/dist-packages/
/usr/local/lib/python2.7/dist-packages/** rm, #Any file or directory under /usr/local/lib/python2.7/dist-packages/ but again not /usr/local/lib/python2.7/dist-packages/
you can get access to the dir itself with
/usr/local/lib/python2.7/dist-packages/ r,
or it can be combined with one of the above rules using an alternation
/usr/local/lib/python2.7/dist-packages/{**,} mr,
More information about the AppArmor
mailing list