This is an old revision of the document!
# mkdir /etc/default/grub.d # cat /etc/default/grub.d/apparmor.cfg
GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"
# update-grub # init 6
# apt install apparmor # aa-status
# ps axZ # apt install bind9 # apt install apparmor-utils # aa-unconfined # apt install apparmor-profiles # find /etc/apparmor.d/
# service apparmor teardown # service apparmor restart
# ldd /bin/bash # ldd /bin/cat # ldd /usr/bin/file # man file # cat /etc/apparmor.d/usr.local.sbin.webd
/usr/local/sbin/webd { network inet stream, /usr/local/sbin/webd r, # /usr/bin/bash ix, /usr/bin/cat ix, /usr/bin/file ix, /etc/magic r, /usr/share/file/magic.mgc r, /usr/lib/file/magic.mgc r, /var/www/** r, /usr/lib/x86_64-linux-gnu/libtinfo* mr, /usr/lib/x86_64-linux-gnu/libdl* mr, /usr/lib/x86_64-linux-gnu/libc* mr, /usr/lib/x86_64-linux-gnu/libz* mr, /usr/lib/x86_64-linux-gnu/libmagic* mr, }
# aa-complain /usr/local/sbin/webd # aa-status # tail -f /var/log/audit/audit.log | grep usr.local.sbin.webd # aa-enforce /usr/local/sbin/webd # tail -f /var/log/audit/audit.log | grep usr.local.sbin.webd # aa-disable /usr/local/sbin/webd
# aa-genprof /usr/local/sbin/webd ... # cat /etc/apparmor.d/usr.local.sbin.webd
# Last Modified: Fri Mar 30 06:29:37 2012 #include <tunables/global> /usr/local/sbin/webd { #include <abstractions/base> #include <abstractions/bash> #include <abstractions/apache2-common> /usr/local/sbin/webd r, /bin/bash ix, /bin/cat rix, /etc/magic r, /usr/bin/file rix, /usr/share/file/magic.mgc r, /var/www/* r, }
# service apparmor restart