[apparmor] AppArmor and virtual hosts in Apache

Lentes, Bernd bernd.lentes at helmholtz-muenchen.de
Wed May 3 11:14:08 UTC 2017 


----- On May 2, 2017, at 11:10 PM, Christian Boltz apparmor at cboltz.de wrote:

> Hello,
> 
> Am Dienstag, 2. Mai 2017, 11:26:36 CEST schrieb John Johansen:
>> On 05/02/2017 01:58 AM, Lentes, Bernd wrote:
>> > ----- On Apr 29, 2017, at 3:02 AM, Seth Arnold
> seth.arnold at canonical.com wrote:
>> >> On Wed, Apr 26, 2017 at 08:26:10PM +0200, Lentes, Bernd wrote:
> 
>> >>> I have a SLES 10 SP4 box.
> 
> That sounds like a terribly old AppArmor version, but still,
> mod_apparmor probably didn't change too much in the meantime.

Hi Christian,

pc52842:~ # rpm -qa|grep -i armor

apache2-mod-apparmor-2.0-21.2
libapparmor-2.2-0.3
perl-libapparmor-2.2-0.3
apparmor-utils-2.1.1-0.9
apparmor-admin_en-10.1-0.25.14
apparmor-profiles-2.0.1-20.28.1
apparmor-docs-2.1.1-0.7.19
libapparmor-32bit-2.2-0.3
yast2-apparmor-2.1-2.8
apparmor-parser-2.1.1-0.8.1


> 
> BTW: You might want to steal ;-)
>    /etc/apparmor.d/abstractions/apache2-common
> from a more recent AppArmor release. Note that you'll probably have to
> remove the "signal" rules - I'd be surprised if apparmor_parser on SLE10
> can handle them.
> 
>> There are a couple of things that could be done to help. An
>> interactive learning mode could make the decision at request time, at
>> the cost of blocking until ready. We could also allow adding some
>> rules that would provide patterns for what kind of requests should map
>> to which profiles, or if they should create a new custom learning
>> profile.
> 
> Or you can do something simple and boring - create the hat manually in
> the profile [1] (and reload the profile) before using it ;-)
> 
> That will stop the change_hat guessing and ensure everything gets logged
> for the hat you want to use.

That's what i tried. I created a hat for the vhost i want to confine.
httpd2 and hat running in complain mode. I find entries in the audit.log referring to my
newly created hat. But when i run logprof to generate/edit my profile,
logprof still wants to create a lot of new hats.
Or do you mean something different ?

I'm astonished that the topic vhosts/hats is so complicated. I read some articels from german computer magazines
about apparmor, and the tenor was always "it's pretty easy".
What are big companies running a lot of vhosts doing ? Not using apparmor ?

My problem is that one vhost needs to be confined. But the other not. The other is a critical, self-written web application
which is very important for us and needs to run without interrupts. I don't want to influence it by apparmor. 
The developer just left us and we will get no exchange. So creating a profile manually is difficult for me because
i really don't know exactly what permissions the app needs.
So i'm really thinking of extracting the web application which should be confined and move it to a virtual machine,
where it runs independently without any other vhost. 
Having all the vhosts on the same machine, and running logprof
to generate the profile, i'm often asked to make changes in the profile of the parent httpd2.
I'm afraid to influence the nervous web application if i make the parent profile for httpd2 to tight.
But if i make to loose for not disturbing my diva, i'm afraid of having security problems for the vhost
which has to be confined.
What do you think ?
 
Bernd
 

Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671

More information about the AppArmor mailing list