Questions tagged [apparmor]

AppArmor ("Application Armor") is a mandatory access control (MAC) like security system for Linux. It is designed to work with standard Unix discretionary access control (DAC) permissions while being easy to use and deploy, by allowing an admin to confine only specific applications. Linux kernel security module allows the system administrator to restrict programs' capabilities with per-program profiles. Profiles can allow capabilities like network access, raw socket access, and the permission to read, write, or execute files on matching paths. AppArmor supplements the traditional Unix discretionary access control (DAC) model by providing mandatory access control (MAC). See more:

54 questions

votes

1 answer

apparmor: same profile for multiple apps

so I have: #include /usr/bin/python2.7 { /** mixrw, deny /** lwk, } /usr/lib/jvm/java-6-openjdk/jre/bin/java { /** mixrw, deny /** lwk, } /var/www/service/usercode/*/a.out { /** mixrw, #deny /**…

ubuntu apparmor

asked Oct 08 '11 at 10:54

ren

votes

1 answer

mysql init-file config option giving file not found error

I want to have a SQL script run whenever mysql starts but I can't get it working in Ubuntu 11.10. I added a "init-file" option to the mysql config file: > sudo emacs -nw /etc/mysql/my.cnf ... [mysqld] init-file=/etc/mysql/mysqlinit.sql ... But when…

ubuntu mysql apparmor

asked Nov 11 '11 at 08:09

Tom

4,157
11
41
52

votes

1 answer

How to disallow the Docker Daemon to mount host's root file system into the container

I have the following Container Setup. On a bare metal server two Docker Daemons are installed and running. Main Docker Daemon Runs my application containers exposing 80/443 to the outside world. Plugin Docker Daemon Runs some containers provided…

linux docker selinux chroot apparmor

asked Oct 03 '16 at 16:03

Vad1mo

votes

2 answers

Does nginx really need dac_override in its AppArmor policy?

I am building an AppArmor policy for nginx in Ubuntu 14.04 and I cannot make it work without enabling the dac_override capability. Does nginx really need this enabled or is there some way to work around it? Overriding all discretionary access…

nginx apparmor

asked May 15 '16 at 21:39

Federico B.

votes

1 answer

Apparmor denies ntpd access to its own logs

ntpd complains that it cannot access its own logs # ntpd -qgddd ... 11 Sep 16:23:00 ntpd[7262]: can't open /var/log/ntpstats/peerstats.20130911: Permission denied ... 11 Sep 16:23:01 ntpd[7262]: can't open /var/log/ntpstats/peerstats.20130911:…

logging ntpd apparmor

asked Sep 11 '13 at 14:32

Damn Terminal

votes

1 answer

Best way to set up permissions with nginx + php-fpm on shared hosting?

I'm running a shared hosting server with nginx and php-fpm on Debian. Everything works fine, php-fpm has separate pools for each users running as separate users and they each have their own socks. Nginx is however running as www-data because I don't…

nginx debian permissions php-fpm apparmor

asked Mar 05 '13 at 12:55

dBi

votes

0 answers

Apparmor externally included hats not working

Running apache2 on Ubuntu 12.04, using mod-apparmor for change-hat support. I have installed and verified that change-hat is working but that it is not working for externally included hats like the example hat provided for phpSysInfo by the…

apache-2.2 ubuntu apparmor

asked May 03 '12 at 17:31

David

votes

2 answers

Reducing the verbosity of auditd, my minimal rules catch stuff they should not (apparmor)

My auditd rules and my needs are fairly simple, I want only to log root actions. # auditctl -l -a always,exit -S all -F euid=0 -F perm=x -F key=ROOT_ACTION That is the only rule, and it works: type=SYSCALL msg=audit(1550318220.514:11479):…

ubuntu logging auditd apparmor

asked Feb 16 '19 at 12:16

Nanzikambe

votes

2 answers

How do I get the right AppArmor profile for mysql on Ubuntu?

I think I have an old profile (copied below). I don't know where to look to find the correct profile. Is there an authoritative source for standard apparmor profiles - or would this be somewhere in mysql source? Is there a standard way to update…

mysql ubuntu-16.04 apparmor

asked Feb 10 '18 at 18:48

Confused Vorlon

votes

2 answers

New Dovecot install not allowing login, giving permissions error despite saying that permissions "appear ok"

I'm installing dovecot onto a Virtualbox VM running Ubuntu Server 64-bit 14.04 guest. Dovecot itself is being installed into a Docker container (I'm not sure that that's relevant here, but am noting it just in case). I'm having trouble getting…

dovecot selinux maildir ubuntu-14.04 apparmor

asked Aug 04 '14 at 09:19

J L

votes

1 answer

AppArmor - root: "You do not have enough privilege to read the profile set."

I'm trying to use AppArmor on a remote hosted Xen server with a custom built kernel. AppArmor appears to be running, but not correctly. For example if I run the following command as root: # aa-status apparmor module is loaded. You do not have…

linux ubuntu xen kernel apparmor

asked Jan 07 '13 at 14:37

neoCrimeLabs

votes

2 answers

Strict security and virtual host isolation with Nginx?

I currently have an Apache web server set up under which each virtual host is isolated using HTTPD-ITK and the AppArmor module. Each virtual host's workers are setuid/setgid by the server and are then placed in an AppArmor profile. I'm looking to…

apache-2.2 nginx apparmor

asked Dec 09 '12 at 01:48

June Rhodes

votes

2 answers

How can I run a command with a specific AppArmor profile/hat?

I'm hoping there exists something like sudo for AppArmor, so I can run something in a context like: aado -hat my-hat command arg arg arg Does this exist?

apparmor

asked Nov 30 '12 at 19:21

wowest

votes

2 answers

MySQL moving ibdata & ib_logfile

I'm trying to move ibdata & ib_logfile on ssd drive. I tried this way, but it don't work: service mysql stop cd /var/lib/ cp -ra mysql mysql_backup cp -a mysql/ibdata1 mysql/ib_logfile* /ssd_drive/mysql my.cnf looks like this (relevant…

ubuntu mysql ubuntu-10.04 ssd apparmor

asked Apr 05 '12 at 09:32

XoR

votes

0 answers

Moving Rocket.Chat data to different hard drive

I have Rocket.Chat running on Ubuntu 18.04.4 LTS through Snap. I would like to move the data (but not the entire snap) to another hard drive. So far this is what I have tried: Backup Rocket.Chat sudo service snap.rocketchat-server.rocketchat-server…

ubuntu mongodb apparmor

asked May 07 '20 at 19:38

user2395126

2 3 4 Next