[Apparmor-general] AppArmor definition of a home directory too rigid

John Johansen jjohansen at suse.de
Thu Aug 2 00:09:17 MDT 2007 

On Thu, Aug 02, 2007 at 12:52:31PM +1000, Michael.James at csiro.au wrote:
> The supplied AppArmor Profiles are causing a rash of problems.
> 
Which release of apparmor are you using, with which OS and version?

and yes incomplete profiles can cause lots of problems.  If you change
configuration away from the default profiles need to be modified.

> Tip:
> To help stay ahead of trouble, put this into   /etc/logdigest/alarming.local
> 
> 	kernel: SubDomain: REJECTING
> 
> You'll see all the hits in your logdigest email.
> (You do use logdigest don't you? It's magic for sysadmins)
> 
A very good tip, though with newer versions of apparmor you will
need to move from SubDomain to APPARMOR.

> 
> Home Dir recognition:
> It is written explicitly in almost all subdomain's profiles
>  that home dirs are of the form  /home/<username>/
yes, this use to be the case, and unfortunately it is not easy to modify
when your system needs a different configuration.

> If like me you use  /home/<group>/<username>
> Apparmor will cause you many subtle problems.
> I notice it when  ~/.ssh/authorized_keys  stops working.
> 
> This is a bug, and will go on being one till we get
>  a system that feeds a variable definition into the profiles.
Yes this is a problem.  Newer versions of apparmor (I believe 10.2 was
the first) have picked up the ability to use variables.  Unfortunately
there has been no release with variable support for older suse/sles
releases.

> Base its value on the default new user profile from YaST.
> 
Unfortunately the variables are not exposed in Yast yet :(
Though that is the goal.

> In the meantime the default profiles need to relax
> 	 /home/*/   to   /home/**/
> 
> 	root> cd /etc/subdomain
> 	root> perl  -i  -pe's|/home/*/|/home/**/|'   \
> 		*bin* *lib* abstractions/* program-chunks/*
> 
> Individual installations could put an explicit  /home/*/*/
> 
profiles should now be using @{HOME} and if they don't it is a bug.

the @{HOME} variable can be modified be editing 
/etc/apparmor.d/tunables/home

> That's my opinion and I'm sticking to it.
well I can certainly understand your opinion

> On a server with any reasonable number of users,
>  having the home dirs grouped is too big a win
>  to change just because "the system wants it that way".
> 
yep it can be really nice.

thanks for your report
john
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-general/attachments/20070801/ce882030/attachment.pgp

More information about the Apparmor-general mailing list