<div dir="ltr">Hi, I am looking below user cases for role based access control: 1. A user should be able to manage sshd and apache2 services : when I say manage, user should be able to configure these services and stop/start/restart. This user role is to administer ssh and apache services. 2. A user for network administration. This role should be able to add/modify ip/route etc. After refer to some wiki page docs for RBAC in AppArmor, I still don’t find answers to below questions. 1. How to assign multiple roles to given user 2. How to switch between the roles 3. Is it possible to provide roles only of read only access: consider the example of sshd service. Is it possible to create a role only to check the status of sshd service and read sshd configuration 4. By refering to the example given in apparmor wiki (<a href="http://wiki.apparmor.net/index.php/Pam_apparmor_example">http://wiki.apparmor.net/index.php/Pam_apparmor_example</a>) After following the steps mention above, even root user also needs to have role profile or else default profile is applied. Is there a way by which we can exclude root user from this RBAC how to have some user outside pam_apparmor control how to provide RBAC only for selected users and not all users on the system. Thanks and regards,Adishesh </div><div class="gmail_extra"> <div class="gmail_quote">On Tue, May 10, 2016 at 1:27 AM, Seth Arnold <<a href="mailto:seth.arnold@canonical.com" target="_blank">seth.arnold@canonical.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Mon, May 09, 2016 at 02:09:09PM +0530, Adishesh M wrote: > is there any howto document available for updating httpd/apache profile to > include role based access. > i need to create two roles : one readonly access for httpd and other httpd > admin role. Hello Adishesh, Can you describe what you're trying to accomplish? There's a few dozen webservers out there and while there's existing profiles for e.g. apache[1] those profiles are certainly not "read-only". Of course what makes it difficult to prepare a "standard profile" is that web servers are expected to do so much. If you really just want to serve static pages, you could start with a profile like: /path/to/server { #include <abstractions/base> capability setgid, capability setuid, capability net_bind_service, network inet stream, network inet6 stream, /var/www/** r, /var/logs/<whatever> rwl, } You'll need to amend this profile to do whatever it is your program needs. You may be able to use fewer capabilities if it doesn't bind to port 80 or drop privileges once running (say, if it just runs as a different user in the first place). Updating the web content is another question. You could use a specific user with a specific shell, and confine that shell. You could use sftp and confine the ssh daemon. You could use a cronjob to periodically pull updates via rsync or git and have -those- be confined. What workflow do you want to support? Thanks 1: <a href="http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/view/head:/profiles/apparmor.d/usr.sbin.apache2" rel="noreferrer" target="_blank">http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/view/head:/profiles/apparmor.d/usr.sbin.apache2</a> -- AppArmor mailing list <a href="mailto:AppArmor@lists.ubuntu.com">AppArmor@lists.ubuntu.com</a> Modify settings or unsubscribe at: <a href="https://lists.ubuntu.com/mailman/listinfo/apparmor" rel="noreferrer" target="_blank">https://lists.ubuntu.com/mailman/listinfo/apparmor</a> </blockquote></div> </div>