[prev in list] [next in list] [prev in thread] [next in thread]
List: apparmor-general
Subject: Re: [Apparmor-general] profile has no effect while using chroot to
From: Seth Arnold <seth.arnold () suse ! de>
Date: 2007-07-06 22:11:46
Message-ID: 20070706221146.GA13101 () suse ! de
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
On Fri, Jul 06, 2007 at 03:27:25PM +0200, Dieter Bloms wrote:
> I wrote a profile with an absolute path to the binary and no access to
> any file.
> Then I restart subdomain via rcsubdomain to reload the profile, and then
> I execute the expurgate program with:
> "exec env - /usr/bin/chroot /usr/local/eleven-2.0.6 bin/expurgate --configfile etc/... "
>
> But I can't see any REJECT in the logfile.
> Then I tried the path /**/bin/expurgate in the profile, but with the
> same result.
> # vim:syntax=subdomain
> # Last Modified: Wed Jul 4 14:13:12 2007
> /usr/local/eleven-2.0.6/bin/expurgate {
> #include <abstractions/base>
>
> /usr/local/eleven-2.0.6/bin/expurgate mr,
> }
Hello Dieter; the way that chroot is being used here, the pathname that
the kernel (and AppArmor) will see is actually /bin/expurgate. The
chroot to /usr/local/eleven-2.0.6 causes the pathnames to be seen
differently.
(I believe that the version of AppArmor submitted to the Linux Kernel
Mailing List for inclusion into the mainline Linux kernel would behave
as you expect it to, so some day this profile should work as intended.)
Try:
/bin/expurgate {
#include <abstractions/base>
/bin/expurgate mixr,
}
> # vim:syntax=subdomain
> # Last Modified: Wed Jul 4 14:13:12 2007
> /**/bin/expurgate {
Sadly, this doesn't work at all. It should probably throw an error,
though I know once upon a time we intended to support it..
> #include <abstractions/base>
>
> /**/bin/expurgate mr,
> }
Hope this helps
[Attachment #5 (application/pgp-signature)]
_______________________________________________
Apparmor-general mailing list
Apparmor-general@forge.novell.com
http://forge.novell.com/mailman/listinfo/apparmor-general
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic