User Tools
модуль_apparmor
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
модуль_apparmor [2020/07/15 15:56] val [Создание профиля вручную] |
модуль_apparmor [2024/05/14 14:15] (current) val [Включение/Выключение] |
||
|---|---|---|---|
| Line 5: | Line 5: | ||
| * [[http://www.ibm.com/developerworks/ru/library/l-apparmor-1/index.html|Безопасный Linux : Часть первая. AppArmor – песочница для приложений]] | * [[http://www.ibm.com/developerworks/ru/library/l-apparmor-1/index.html|Безопасный Linux : Часть первая. AppArmor – песочница для приложений]] | ||
| - | ===== Установка ===== | + | * [[https://wiki.debian.org/AppArmor/HowToUse|debian AppArmor HowToUse]] |
| + | * [[https://help.ubuntu.com/community/AppArmor|ubuntu AppArmor]] | ||
| - | ==== Debian 9 ==== | + | ===== Включение/Выключение ===== |
| - | * [[https://wiki.debian.org/AppArmor/HowToUse|AppArmor HowToUse]] | + | * В Debian/Ubuntu включен по умолчанию |
| + | <code> | ||
| + | # ###apt install apparmor | ||
| + | |||
| + | # aa-status | ||
| + | </code> | ||
| + | |||
| + | === Включение === | ||
| <code> | <code> | ||
| # mkdir /etc/default/grub.d | # mkdir /etc/default/grub.d | ||
| Line 17: | Line 25: | ||
| </code><code> | </code><code> | ||
| GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor" | GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor" | ||
| + | </code> | ||
| + | |||
| + | === Выключение === | ||
| + | <code> | ||
| + | # cat /etc/default/grub | ||
| + | </code><code> | ||
| + | ... | ||
| + | GRUB_CMDLINE_LINUX="... apparmor=0" | ||
| + | ... | ||
| </code><code> | </code><code> | ||
| # update-grub | # update-grub | ||
| Line 22: | Line 39: | ||
| # init 6 | # init 6 | ||
| </code> | </code> | ||
| - | ==== Debian/Ubuntu ==== | + | |
| + | |||
| + | ===== Определение наличия и правка профилей для служб ===== | ||
| + | |||
| + | * [[Сервис Clamav]] | ||
| <code> | <code> | ||
| - | # apt install apparmor | + | # ps axZ #| grep [c]lam |
| - | # aa-status | + | # find /etc/apparmor.d/ |
| - | </code> | + | |
| - | ===== Определение наличия профилей для служб ===== | + | # cat /etc/apparmor.d/usr.sbin.clamd |
| + | </code><code> | ||
| + | ... | ||
| + | /disk2/ rw, | ||
| + | /disk2/** krw, | ||
| + | |||
| + | /var/CommuniGate/ rw, | ||
| + | /var/CommuniGate/** krw, | ||
| + | ... | ||
| + | </code><code> | ||
| + | # cat /etc/apparmor.d/local/usr.sbin.dhcpd | ||
| + | </code><code> | ||
| + | /**/dhcp/ r, | ||
| + | /**/dhcp/** r, | ||
| + | </code> | ||
| + | или | ||
| <code> | <code> | ||
| - | # ps axZ # apt install bind9 | + | # rm /etc/apparmor.d/usr.sbin.dhcpd |
| + | </code><code> | ||
| + | # init 6 | ||
| # apt install apparmor-utils | # apt install apparmor-utils | ||
| Line 38: | Line 76: | ||
| # apt install apparmor-profiles | # apt install apparmor-profiles | ||
| + | |||
| + | # less /usr/share/apparmor/extra-profiles/README | ||
| # find /etc/apparmor.d/ | # find /etc/apparmor.d/ | ||
| </code> | </code> | ||
| - | ===== Временное отключение и включение обратно ===== | ||
| - | <code> | ||
| - | # service apparmor teardown | ||
| - | # service apparmor restart | + | |
| - | </code> | + | |
| ===== Создание профиля "вручную" ===== | ===== Создание профиля "вручную" ===== | ||
| Line 90: | Line 126: | ||
| # aa-complain /usr/local/sbin/webd | # aa-complain /usr/local/sbin/webd | ||
| - | # find /etc/apparmor.d/ | grep webd | + | # aa-status |
| - | # aa-enforce /usr/local/sbin/webd | + | # tail -f /var/log/audit/audit.log | grep usr.local.sbin.webd |
| - | # tail -f /var/log/syslog | grep usr.local.sbin.webd | + | # aa-enforce /usr/local/sbin/webd |
| # tail -f /var/log/audit/audit.log | grep usr.local.sbin.webd | # tail -f /var/log/audit/audit.log | grep usr.local.sbin.webd | ||
| Line 107: | Line 143: | ||
| <code> | <code> | ||
| # aa-genprof /usr/local/sbin/webd | # aa-genprof /usr/local/sbin/webd | ||
| + | ... | ||
| + | #https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928160 | ||
| + | debian10# touch /etc/apparmor.d/local/...dovecot... | ||
| ... | ... | ||
| # cat /etc/apparmor.d/usr.local.sbin.webd | # cat /etc/apparmor.d/usr.local.sbin.webd | ||
| - | </code><code> | + | ... |
| - | # Last Modified: Fri Mar 30 06:29:37 2012 | + | |
| - | #include <tunables/global> | + | |
| - | + | ||
| - | /usr/local/sbin/webd { | + | |
| - | #include <abstractions/base> | + | |
| - | #include <abstractions/bash> | + | |
| - | #include <abstractions/apache2-common> | + | |
| - | + | ||
| - | /usr/local/sbin/webd r, | + | |
| - | /bin/bash ix, | + | |
| - | /bin/cat rix, | + | |
| - | /etc/magic r, | + | |
| - | /usr/bin/file rix, | + | |
| - | /usr/share/file/magic.mgc r, | + | |
| /var/www/* r, | /var/www/* r, | ||
| } | } | ||
модуль_apparmor.1594817776.txt.gz · Last modified: 2020/07/15 15:56 by val
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
