On Sat, Apr 07, 2007 at 08:27:34AM +0200, Clayton wrote: > >AND, can someone explain in > >SIMPLE English just what the h-e-double hockey sticks Aparmor is > >supposed to do. Near as I can tell all it does is take up space on my > >hard drive. > > Curtis Rey had a good comment on AppArmor a few months ago (3 January): > > "If you're running AppArmor - Don't! It can interfere with apps and /dev > access - it's designed for Enterprise/network servers with access to the > outside world - generally overkill for home users and non-servers."
Pity Curtis doesn't actually know what AppArmor does. :) (Or, at least, he didn't know in January..) AppArmor does not control access to files. AppArmor confines programs. AppArmor allows you to list exactly which files you want Apache or Firefox or GAIM or irssi or postfix .. to have access to. AppArmor lets you say that your firefox can't read your ~/.ssh/* files. AppArmor lets you say that the master Apache process (which runs as root) can't write to /etc/shadow. An AppArmor profile for an application is simply a list of the files and access modes a program is allowed, as well as which specific capabilities you're allowing the program to use. If the file isn't in the list, the program doesn't get to use the file. I could just paste you a profile, but the best way to learn about something is by trying it for yourself. If you can spare ten minutes, you can significantly improve the security of your systems: To get started, type "aa-genprof firefox" from one terminal (or use our YaST-equavilent, something like "New profile wizard"), start firefox, browse around a little, quit firefox, and then hit the "scan for events" button. Answer questions. (When starting out something like this, just hit the "inherit this profile" button when prompted for "profile, inherit, or unconfine?".) Then vi /etc/apparmor.d/*firefox* and _see_ what exactly AppArmor does. If you would like to undo whatever it is you've done, delete the relevant files in /etc/apparmor.d/ and run /etc/init.d/boot.apparmor restart. (We do provide an 'rcapparmor' symlink as usual on SuSE, so feel free to save yourself some typing. :) Hope this helps you, and others, get the most out of your computers.
pgpzDwtQKR4IS.pgp
Description: PGP signature
