[apparmor] RBAC based on AppArmor

Adishesh M adisheshsm at gmail.com
Wed May 11 05:14:22 UTC 2016


I am  looking below user cases for role based access control:

1.     A user should be able to manage sshd and apache2  services : when I
say manage, user should be able to configure these services and

        This user role is to administer ssh and apache services.

 2.    A user for network administration.   This role should be able to
add/modify ip/route etc.

 After refer to some wiki page docs for RBAC in AppArmor,  I still don’t
find answers to below questions.

1.       How to assign multiple roles to given user

2.       How to switch between the roles

3.       Is it possible to provide roles only of read only access: consider
the example of sshd service. Is it possible to create a role only to check
the status of sshd service and read sshd configuration

4.       By refering to the example given in apparmor wiki (

After following the steps mention above,  even root user also needs to have
role profile or else default profile is applied.

Is there a way by which we can exclude root user from this RBAC

how to have some user outside pam_apparmor control

how to provide RBAC only for selected users and not all users on the system.

Thanks and regards,


On Tue, May 10, 2016 at 1:27 AM, Seth Arnold <seth.arnold at canonical.com>

> On Mon, May 09, 2016 at 02:09:09PM +0530, Adishesh M wrote:
> > is there any howto document available for updating httpd/apache profile
> to
> > include role based access.
> > i need to create two roles : one readonly access for httpd and other
> httpd
> > admin role.
> Hello Adishesh,
> Can you describe what you're trying to accomplish?
> There's a few dozen webservers out there and while there's existing
> profiles for e.g. apache[1] those profiles are certainly not "read-only".
> Of course what makes it difficult to prepare a "standard profile" is that
> web servers are expected to do so much. If you really just want to serve
> static pages, you could start with a profile like:
> /path/to/server {
>   #include <abstractions/base>
>   capability setgid,
>   capability setuid,
>   capability net_bind_service,
>   network inet  stream,
>   network inet6 stream,
>   /var/www/** r,
>   /var/logs/<whatever> rwl,
> }
> You'll need to amend this profile to do whatever it is your program needs.
> You may be able to use fewer capabilities if it doesn't bind to port 80 or
> drop privileges once running (say, if it just runs as a different user
> in the first place).
> Updating the web content is another question. You could use a specific
> user with a specific shell, and confine that shell. You could use sftp and
> confine the ssh daemon. You could use a cronjob to periodically pull
> updates via rsync or git and have -those- be confined. What workflow do
> you want to support?
> Thanks
> 1:
> http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/view/head:/profiles/apparmor.d/usr.sbin.apache2
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/apparmor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160511/0d2b1975/attachment.html>

More information about the AppArmor mailing list