This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
модуль_apparmor [2020/07/15 16:54] val [Создание и включение профиля утилитой aa-genprof] |
модуль_apparmor [2024/04/26 08:41] (current) val |
||
---|---|---|---|
Line 7: | Line 7: | ||
===== Установка ===== | ===== Установка ===== | ||
- | ==== Debian 9 ==== | + | ==== Включение/Выключение ==== |
- | * [[https://wiki.debian.org/AppArmor/HowToUse|AppArmor HowToUse]] | + | * В Debian/Ubuntu включен по умолчанию |
+ | * [[https://wiki.debian.org/AppArmor/HowToUse|debian AppArmor HowToUse]] | ||
+ | * [[https://help.ubuntu.com/community/AppArmor|ubuntu AppArmor]] | ||
+ | === Debian 11 (enable) === | ||
<code> | <code> | ||
# mkdir /etc/default/grub.d | # mkdir /etc/default/grub.d | ||
Line 17: | Line 20: | ||
</code><code> | </code><code> | ||
GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor" | GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor" | ||
+ | </code> | ||
+ | |||
+ | === Ubuntu 20/22 (disable) === | ||
+ | <code> | ||
+ | # cat /etc/default/grub | ||
+ | </code><code> | ||
+ | ... | ||
+ | GRUB_CMDLINE_LINUX="... apparmor=0" | ||
+ | ... | ||
</code><code> | </code><code> | ||
# update-grub | # update-grub | ||
Line 29: | Line 41: | ||
</code> | </code> | ||
- | ===== Определение наличия профилей для служб ===== | + | ===== Определение наличия и правка профилей для служб ===== |
<code> | <code> | ||
- | # ps axZ # apt install bind9 | + | # ps axZ # apt install clamav-daemon |
+ | |||
+ | # find /etc/apparmor.d/ | ||
+ | |||
+ | # cat /etc/apparmor.d/usr.sbin.clamd | ||
+ | </code><code> | ||
+ | ... | ||
+ | /disk2/ rw, | ||
+ | /disk2/** krw, | ||
+ | |||
+ | /var/CommuniGate/ rw, | ||
+ | /var/CommuniGate/** krw, | ||
+ | ... | ||
+ | </code><code> | ||
+ | # cat /etc/apparmor.d/local/usr.sbin.dhcpd | ||
+ | </code><code> | ||
+ | /**/dhcp/ r, | ||
+ | /**/dhcp/** r, | ||
+ | </code> | ||
+ | или | ||
+ | <code> | ||
+ | # rm /etc/apparmor.d/usr.sbin.dhcpd | ||
+ | </code><code> | ||
+ | # init 6 | ||
# apt install apparmor-utils | # apt install apparmor-utils | ||
Line 38: | Line 73: | ||
# apt install apparmor-profiles | # apt install apparmor-profiles | ||
+ | |||
+ | # less /usr/share/apparmor/extra-profiles/README | ||
# find /etc/apparmor.d/ | # find /etc/apparmor.d/ | ||
</code> | </code> | ||
- | ===== Временное отключение и включение обратно ===== | ||
- | <code> | ||
- | # service apparmor teardown | ||
- | # service apparmor restart | + | |
- | </code> | + | |
===== Создание профиля "вручную" ===== | ===== Создание профиля "вручную" ===== | ||
Line 108: | Line 141: | ||
# aa-genprof /usr/local/sbin/webd | # aa-genprof /usr/local/sbin/webd | ||
... | ... | ||
+ | #https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928160 | ||
debian10# touch /etc/apparmor.d/local/...dovecot... | debian10# touch /etc/apparmor.d/local/...dovecot... | ||
... | ... |