[Apparmor-general] profile has no effect while using chroot to
start application
Dieter Bloms
apparmor at bloms.de
Fri Jul 6 07:27:25 MDT 2007
Hi,
I'am using subdomain on a SLES9 SP3 with all relevant patches installed.
I can profile most of my application and it works as expected.
One of my colleague want's to run an application called expurgate in a
chroot environment.
I wrote a profile with an absolute path to the binary and no access to
any file.
Then I restart subdomain via rcsubdomain to reload the profile, and then
I execute the expurgate program with:
"exec env - /usr/bin/chroot /usr/local/eleven-2.0.6 bin/expurgate --configfile etc/... "
But I can't see any REJECT in the logfile.
Then I tried the path /**/bin/expurgate in the profile, but with the
same result.
I know it is more secure to run an application without chroot if I use a
subdomain profile, but my colleague wants to run the program in chroot
environment.
here is my profile (without glob):
--snip--
# vim:syntax=subdomain
# Last Modified: Wed Jul 4 14:13:12 2007
/usr/local/eleven-2.0.6/bin/expurgate {
#include <abstractions/base>
/usr/local/eleven-2.0.6/bin/expurgate mr,
}
--snip--
and here with glob:
--snip--
# vim:syntax=subdomain
# Last Modified: Wed Jul 4 14:13:12 2007
/**/bin/expurgate {
#include <abstractions/base>
/**/bin/expurgate mr,
}
--snip--
Thank you for any help!
--
Gruß
Dieter
--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://forge.novell.com/pipermail/apparmor-general/attachments/20070706/fd765014/attachment.pgp
More information about the Apparmor-general
mailing list