Mandatory Access Control on

Working with profiles

Mon, 01 Jan 0001 00:00:00 +0000

Creating a Profile

In addition to the existing profiles in the appliances, AppArmor allows creating profiles for other executable files present in the system. Using the aa-genprof command, you can create a profile to protect a file. When this command is run, AppArmor loads that file in complain mode and provides an option to analyze all the activities that might arise. It learns about all the activities that are present in the file and suggests the permissions that can be applied on them. After the permissions are assigned to the file, the profile is created and set in the enforce mode.

Analyzing events

Mon, 01 Jan 0001 00:00:00 +0000

AppArmor provides an interactive tool to analyze the events occurring in the system. The aa-logprof is one such utility that scans the logs for the events in your system. The aa-logprof command scans the logs and provides a set actions for modifying a profile.

Consider the apparmor_example.sh script that is in the enforce mode. After a certain period of time, you modify the script and insert a command to list all the files in the directory. When you run the apparmor_example.sh script, a Permission denied error appears on the screen. As a new command is added to this script and permissions are not assigned to the updated entry, AppArmor does not allow the script to run. The permissions must be assigned before the script is executed. To evaluate the permissions that can be applied to the new entries, you can view the logs for details. On the ESA CLI Manager, the logs are available in the audit.log file in the /var/log/ directory. The following figure displays the logs that appear for the apparmor_example.sh script.

AppArmor permissions

Mon, 01 Jan 0001 00:00:00 +0000

The following table describes the different permissions that AppArmor lists when creating a profile or analyzing events.

Permission	Description
(I)nherit	Inherit the permissions from the parent profile.
(A)llow	Allow access to a path.
(I)gnore	Ignore the prompt.
(D)eny	Deny access to a path.
(N)ew	Create a new profile.
(G)lob	Select a specific path or create a general rule using wild cards that match a broader set of paths.
Glob with (E)xtension	Modify the original directory path while retaining the filename extension.
(C)hild	Creates a rule in a profile, requires a sub-profile to be created in the parent profile, and rules must be separately generated for this child.
Abo(r)t	Exit AppArmor without saving the changes.
(F)inish	Finish scanning for the profile.
(S)ave	Save the changes for the profile.

Troubleshooting for AppArmor

Mon, 01 Jan 0001 00:00:00 +0000

The following table describes solutions to issues that you might encounter while using AppArmor .

Issue	Reason	Solution
After you run the File Export or File Import operation in the ESA, the following message appears in the logs: type=AVC msg=audit(1594813145.658:7306): apparmor="DENIED" operation="exec" profile="/usr/sbin/apache2" name="/usr/lib/sftp-server" pid=58379 comm="bash" requested_mask="x"* denied_mask="x" *fsuid=0 ouid=0FSUID="root" OUID="root"		Perform the following steps: On the CLI Manager, navigate to Administration → OS Console Navigate to the `/etc/apparmor.d/custom` directory. Edit the `usr.sbin.apache2` profile. Insert the following line. /usr/lib/sftp-server rix, Restart the AppArmor service using the following command. /etc/init.d/apparmor restart
If a scheduler task containing a customized script is run, then the scheduled task is not executed and a denial message appears in the log. For example, if a task scheduler contains the `/demo.sh` script in the command line, the following message appears in the logs. type=AVC msg=audit(1598429205.615:35253): apparmor="DENIED" operation="exec" profile="/usr/sbin/apache2" name="/demo.sh" pid=32684 comm=".taskV5FLVl.tmp" requested_mask="x" denied_mask="x" fsuid=0 ouid=0FSUID="root" OUID="root"	AppArmor restricts running any custom scripts from the scheduled task	Perform the following steps. On the CLI Manager, navigate to Administration → OS Console Navigate to the `/etc/apparmor.d/custom` directory. Edit the `usr.sbin.apache2` profile. Insert the following line. /demo.sh rix, Restart the AppArmor service using the following command. /etc/init.d/apparmor restart
If you run the Put Files operation between two machines in a TAC, the following messages appear as logs in the source and target appliances. Source appliance type=AVC msg=audit(1598288495.530:5168): apparmor="DENIED" operation="mknod" profile="/etc/opt/Cluster/cluster_helper" name="/dummyfilefortest.sh" pid=62621 comm="mv" requested_mask="c" denied_mask="c" fsuid=0 ouid=0FSUID="root" OUID="root" Target appliance type=AVC msg=audit(1598288495.950:2116): apparmor="DENIED" operation="chown" profile="/etc/opt/Cluster/cluster_helper" name="/dummyfilefortest.sh" pid=17413 comm="chown" requested_mask="w" denied_mask="w" fsuid=0 ouid=0FSUID="root" OUID="root"		Perform the following steps. On the CLI Manager, navigate to Administration → OS Console Navigate to the `/etc/apparmor.d/custom` directory. Edit the `etc.opt.Cluster.cluster_helper` profile. Insert the following line on the source appliance /<filename> cix, Insert the following line on the target appliance /<filename> wix, Restart the AppArmor service on the source and target appliances using the following command. /etc/init.d/apparmor restart