Re: [apparmor] Problem with audit rule modifier

2013-06-28 Thread azurIt
Hi, i'm having problems with audit rule modifier - it's just not working when used alone. I'm trying to enable only logging with this: audit /home/** a, audit /home/** w, By only logging you mean logging of an access but not granting permission? I mean logging of an access AND granting

Re: [apparmor] Problem with audit rule modifier

2013-06-30 Thread azurIt
Hi, i'm having problems with audit rule modifier - it's just not working when used alone. I'm trying to enable only logging with this: audit /home/** a, audit /home/** w, By only logging you mean logging of an access but not granting permission? I mean logging of an access AND granting

Re: [apparmor] Problem with audit rule modifier

2013-06-30 Thread azurIt
Hi, i'm having problems with audit rule modifier - it's just not working when used alone. I'm trying to enable only logging with this: audit /home/** a, audit /home/** w, By only logging you mean logging of an access but not granting permission? I mean logging of an access AND granting

Re: [apparmor] Problem with audit rule modifier

2013-06-30 Thread azurIt
Hi, i'm having problems with audit rule modifier - it's just not working when used alone. I'm trying to enable only logging with this: audit /home/** a, audit /home/** w, By only logging you mean logging of an access but not granting permission? I mean logging of an access AND

Re: [apparmor] Problem with audit rule modifier

2013-06-30 Thread azurIt
Hi, i'm having problems with audit rule modifier - it's just not working when used alone. I'm trying to enable only logging with this: audit /home/** a, audit /home/** w, By only logging you mean logging of an access but not granting permission? I mean logging of an access AND

Re: [apparmor] Problem with audit rule modifier

2013-07-02 Thread azurIt
Hi, i'm having problems with audit rule modifier - it's just not working when used alone. I'm trying to enable only logging with this: audit /home/** a, audit /home/** w, By only logging you mean logging of an access but not granting permission? I mean logging of an access AND

Re: [apparmor] Problem with audit rule modifier

2013-07-03 Thread azurIt
Hi, i'm having problems with audit rule modifier - it's just not working when used alone. I'm trying to enable only logging with this: audit /home/** a, audit /home/** w, By only logging you mean logging of an access but not granting permission? I mean logging of an access AND

Re: [apparmor] Apache mod_apparmor problem

2013-08-07 Thread azurIt
On 08/07/2013 05:29 AM, azurIt wrote: Hi, i'm trying to use mod_apparmor in Apache but every request is creating new profile inside kernel, which looks like this: /usr/lib/apache2/mpm-itk/apache2//DEFAULT_URI//null-1001 /usr/lib/apache2/mpm-itk/apache2//DEFAULT_URI//null-1003

[apparmor] Symlinks creation

2013-09-19 Thread azurIt
Hi, is there a way how can i deny symlinks creation? Thank you. azur -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

[apparmor] Nested child profiles

2014-09-22 Thread azurIt
Hi, does apparmor supports nested child profiles or child profiles inside hats? I'm asking because i'm having problems with execution using 'cx' permission inside a hat. I'm unable to create a child profile directly inside hat because of this error: apparmor_parser: Unable to replace test.

[apparmor] Variable paths

2015-02-18 Thread azurIt
Hi, i'm trying to create some kind of RBAC system for web applications using apparmor + mod_apparmor (Apache web server). mod_apparmor is able to assing different hats for different URIs, which is kinda cool. The problem is that i want to use the same hats for different users/domains

[apparmor] Support for owner specification

2016-08-24 Thread azurit
Hi, this is written in AppArmor wiki ( http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference ): === extended ownership tests (not currently supported) If the optional equal operator is used then, the test is not against the euid/fsuid but that the object has the same uid as

Re: [apparmor] Support for owner specification

2016-08-25 Thread azurit
Citát Seth Arnold : On Wed, Aug 24, 2016 at 09:10:35PM +0200, azu...@pobox.sk wrote: >On Wed, Aug 24, 2016 at 10:46:49AM +0200, azu...@pobox.sk wrote: >> owner=fred can i, somehow, speed up the implementation? To financially sponsor it for example? Not that i

Re: [apparmor] Support for owner specification

2016-08-24 Thread azurit
Citát Seth Arnold : On Wed, Aug 24, 2016 at 10:46:49AM +0200, azu...@pobox.sk wrote: owner=fred owner=1001 owner=(fred) owner=(fred george) owner=(fred 1001) Is this still not supported? If not, when it will be? Is support missing only in userspace tools or

[apparmor] Too much noise

2017-12-07 Thread azurit
Hi, i have this rule in my profile: owner /etc/passwd r, Problem is, that application is running under lots of different UIDs and all of them are trying to access /etc/passwd (which is not needed, only master process, running under root, needs it). How to get rid of the noise in the logs?

Re: [apparmor] Too much noise

2017-12-09 Thread azurit
Citát John Johansen : On 12/07/2017 02:00 PM, azu...@pobox.sk wrote: Hi, i have this rule in my profile: owner /etc/passwd r, Problem is, that application is running under lots of different UIDs and all of them are trying to access /etc/passwd (which is not

Re: [apparmor] Deny other users /proc entries

2018-03-06 Thread azurit
Citát Arkadiusz Miśkiewicz : On Tuesday 06 of March 2018, azu...@pobox.sk wrote: Hi, i'm trying to allow users to run applications like ps or htop while seeing only their own processes. Htop, for example, needs read permission to /proc//cmdline BUT when a process changes uid

[apparmor] Deny other users /proc entries

2018-03-06 Thread azurit
Hi, i'm trying to allow users to run applications like ps or htop while seeing only their own processes. Htop, for example, needs read permission to /proc//cmdline BUT when a process changes uid from root to user, this happens: - directory /proc// is correctly owned by user - file

Re: [apparmor] Patching a system profile for a specific user

2020-01-10 Thread azurit
Hi, just put this in /etc/apparmor.d/local/usr.bin.thunderbird : owner @{HOME}/.signature.d/** r, azur Citát Sylvain Leroux : Hi everyone, I'm a seasoned Linux administrator but I have little prior experience with AppArmor. FWIW, I already have asked this question on the SuperUser

Re: [apparmor] Patching a system profile for a specific user

2020-01-11 Thread azurit
Citát Sylvain Leroux : Thanks azur, On 11/01/2020 08:25, azu...@pobox.sk wrote: just put this in /etc/apparmor.d/local/usr.bin.thunderbird : owner @{HOME}/.signature.d/** r, My issue is I don't want to change the system configuration. This isnt' possible. That file is used to local