This is an old revision of the document!
# apt install apparmor-utils
# aa-status # aa-unconfined
# service apparmor teardown
# ldd /bin/bash # ldd /bin/cat # ldd /usr/bin/file # man file # cat /etc/apparmor.d/usr.local.sbin.webd
/usr/local/sbin/webd { network inet stream, /usr/local/sbin/webd r, # /bin/bash ix, /bin/cat ix, /usr/bin/file ix, /etc/magic r, /usr/share/file/magic.mgc r, /var/www/** r, ###For i386 Debian/Ubuntu # /lib/i386-linux-gnu/libz* mr, # /lib/i386-linux-gnu/libtinfo* mr, # /lib/i386-linux-gnu/libdl* mr, # /lib/i386-linux-gnu/libc* mr, # /usr/lib/libmagic* mr, ###For x86_64 Debian/Ubintu # /lib/x86_64-linux-gnu/libtinfo* mr, # /lib/x86_64-linux-gnu/libdl* mr, # /lib/x86_64-linux-gnu/libc* mr, # /lib/x86_64-linux-gnu/libz* mr, # /usr/lib/x86_64-linux-gnu/libmagic* mr, }
# aa-complain /usr/local/sbin/webd # aa-enforce /usr/local/sbin/webd # tail -f /var/log/syslog | grep usr.local.sbin.webd # tail -f /var/log/audit/audit.log | grep usr.local.sbin.webd # aa-disable /usr/local/sbin/webd # find /etc/apparmor.d/ -ls | grep webd
http://www.novell.com/documentation/apparmor/apparmor201_sp10_admin/data/bx5bml8.html#bx5bmlf
# aa-genprof /usr/local/sbin/webd ... # cat /etc/apparmor.d/usr.local.sbin.webd
# Last Modified: Fri Mar 30 06:29:37 2012 #include <tunables/global> /usr/local/sbin/webd { #include <abstractions/base> #include <abstractions/bash> #include <abstractions/apache2-common> /usr/local/sbin/webd r, /bin/bash ix, /bin/cat rix, /etc/magic r, /usr/bin/file rix, /usr/share/file/magic.mgc r, /var/www/* r, }
# service apparmor restart