[apparmor] AppArmor and virtual hosts in Apache

Christian Boltz apparmor at cboltz.de
Tue May 2 21:10:09 UTC 2017 

Hello,

Am Dienstag, 2. Mai 2017, 11:26:36 CEST schrieb John Johansen:
> On 05/02/2017 01:58 AM, Lentes, Bernd wrote:
> > ----- On Apr 29, 2017, at 3:02 AM, Seth Arnold 
seth.arnold at canonical.com wrote:
> >> On Wed, Apr 26, 2017 at 08:26:10PM +0200, Lentes, Bernd wrote:

> >>> I have a SLES 10 SP4 box.

That sounds like a terribly old AppArmor version, but still, 
mod_apparmor probably didn't change too much in the meantime.

BTW: You might want to steal ;-) 
    /etc/apparmor.d/abstractions/apache2-common
from a more recent AppArmor release. Note that you'll probably have to 
remove the "signal" rules - I'd be surprised if apparmor_parser on SLE10 
can handle them.

> There are a couple of things that could be done to help. An
> interactive learning mode could make the decision at request time, at
> the cost of blocking until ready. We could also allow adding some
> rules that would provide patterns for what kind of requests should map
> to which profiles, or if they should create a new custom learning
> profile.

Or you can do something simple and boring - create the hat manually in 
the profile [1] (and reload the profile) before using it ;-)

That will stop the change_hat guessing and ensure everything gets logged 
for the hat you want to use.


Regards,

Christian Boltz

[1] actually I have a script to do that - but it's written in a way that
    _will_ break profiles if they don't match the whitespace it expects,
    so I won't publish it. If this still didn't scare you away, ask me 
    off-list if you really want it ;-)

-- 
ein Auto "funktioniert"  auch mit eckigen Reifen, ob ich so etwas fahren
möchte ist wieder eine andere Frage. [Björn Meier in postfixbuch-users]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170502/e8a0bf76/attachment.pgp>

More information about the AppArmor mailing list