Differences between revisions 24 and 25
Revision 24 as of 2015-01-23 22:27:50
Size: 2641
Editor: ?IntRigeri
Comment: Add a clear warning about the current state of the "extra" profiles.
Revision 25 as of 2015-01-23 22:50:11
Size: 2642
Editor: HolgerLevsen
Comment: be more encouraging: s#will break#might break#
Deletions are marked like this. Additions are marked like this.
Line 65: Line 65:
To set these profiles to enforce mode, use `aa-enforce` instead of `aa-complain`. Note that many of these profiles are not up-to-date and will break functionality in enforce mode. To set these profiles to enforce mode, use `aa-enforce` instead of `aa-complain`. Note that many of these profiles are not up-to-date and might break functionality in enforce mode.

Translation(s): none

/Contribute   /Contribute/FirstTimeProfileImport   /Contribute/MergeProfileFromUpstream   /Contribute/Upstream   /Debug   /HowToUse   /OutReachyRound9   /Progress   /Reportbug   /UserStories  

Contents

  1. Requirements
  2. Install software
  3. Enable AppArmor
  4. Inspect the current state
  5. Enable / install more profiles
  6. Debug
  7. Learn more

Requirements

A Debian 7 "Wheezy" or newer GNU/Linux system is required.

If you are using wheezy, upgrading to systemd 204-14 from wheezy-backports is recommended, but not mandatory.

Install software

Install AppArmor userspace tools and some contributed profiles: 

$ sudo apt-get install apparmor apparmor-profiles apparmor-utils

Enable AppArmor

Enable the AppArmor LSM: 

$ sudo perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub
$ sudo update-grub
$ sudo reboot

In the future, this should be automated, see #702030

Inspect the current state

$ sudo aa-status

will list all loaded AppArmor profiles for applications and processes and detail their status (enforced, complain, unconfined). 

$ ps auxZ | grep -v '^unconfined'

will list running executables which are currently confined by an AppArmor profile.

Enable / install more profiles

Find more profiles:

Once you've dropped the new profile (this is automated when installing the apparmor-profiles or the apparmor-profiles-extra package) into /etc/apparmor.d/, use apparmor_parser(8) to insert it into the kernel.

For example, to set all "extra" profiles (provided in the apparmor-profiles package) to complain mode (security policy is not enforced, but corresponding access violations are logged), do the following: 

cd /usr/share/doc/apparmor-profiles/extras
cp -i *.* /etc/apparmor.d/
for f in *.* ; do aa-complain /etc/apparmor.d/$f; done

To set these profiles to enforce mode, use aa-enforce instead of aa-complain. Note that many of these profiles are not up-to-date and might break functionality in enforce mode.

AppArmor audit logs can be found in /var/log/syslog.

Debug

Please read the dedicated documentation for debugging AppArmor.

Learn more

See the "External links" section on the main AppArmor page.