[Apparmor-general] problem with profiling sshd under OpenSuSE 10.2

[ps]

ps wrote:
> Hello
> I have recently spent few days playing with AppArmor on my OpenSuSE 10.2
> box. I wanted to create AppArmor profile for my ssh server. I transfered
> usr.sbin.sshd file which is shipped with OpenSuSE 10.2 to /etc/apparmor.d
> I reloaded AppArmor(command: rcapparmor restart) and stated ssh server.
> It seemed OK but when I tried log in I saw some log trails in
> /var/log/audid/audit.log:
> 
> type=APPARMOR msg=audit(1170534772.421:7743): REJECTING access to
> capability 'invalid-capability' (sshd(18736) profile /usr/sbin/sshd
> active /usr/sbin/sshd)
> 
> 
> and in /var/log/messages:
> 
> Feb  3 21:32:52 pacer sshd[18733]: Accepted keyboard-interactive/pam for
> piter from 127.0.0.1 port 57565 ssh2
> Feb  3 21:32:52 pacer sshd[18736]: pam_loginuid(sshd:session):
> set_loginuid failed
> Feb  3 21:32:52 pacer sshd[18736]: error: PAM: pam_open_session():
> Cannot make/remove an entry for the specified session
> 
> 
> I have typical PAM configuration my linux box, I didn't change anything
> since first installation. I guess this strange log trails weren't my cause.
> 
> Can anyone explain me what is wrong with this standard profile shipped
> with OpeSuSE 10.2 or is there any bug in AppArmor implementation in the
> newest OpenSuSE;)
> 
> Thanks for any answer and explanation:)
> 
> Peter
> _______________________________________________
> Apparmor-general mailing list
> Apparmor-general at forge.novell.com
> http://forge.novell.com/mailman/listinfo/apparmor-general
> 
Hello I spent a few hours for tunning sshd profile which is shipped with
AA in OpenSuSE10.2. I would like to use profile in which I can indicate
which programs can be run under user session. For example some user log
in(via ssh) his account and I can indicate for him what program he can
use, others are denied. Can I do this with AA?
I think I should create some profile for /bin/bash because programs
which users can use are run under /bin/bash. If I have profile for
/bin/bash I will be able to confine /bin/bash to some set of programs.
In original profile shipped with OpenSuSE10.2 /bin/bash has Ux
permissions. It meens no control for bash and programs which are run
under it.
There is also security note on Novell website abount AA and Ux mode:
WARNING: Using Unconstrained Execute Mode (Ux)

"Use Ux only in very special cases. It enables the designated child
processes to be run without any AppArmor protection. Use this mode only
if the child absolutely must be run unconfined. Use at your own risk."

Do you have any idea how to create this kind of profile. I think it will
be very useful for everyone how provides shell accounts for users.

Thanks for help.
Best regards