app armorってなによ
SE Linuxよりお手軽なんだそうだ。
Ubuntuで導入されてるんやね
しりませんでした orz
[hirasawa@aspire-white ~]$ sudo aa-status [sudo] password for hirasawa: apparmor module is loaded. 12 profiles are loaded. 12 profiles are in enforce mode. /sbin/dhclient /usr/bin/evince /usr/bin/evince-previewer /usr/bin/evince-thumbnailer /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/connman/scripts/dhclient-script /usr/lib/cups/backend/cups-pdf /usr/sbin/cupsd /usr/sbin/mysqld /usr/sbin/ntpd /usr/sbin/tcpdump /usr/share/gdm/guest-session/Xsession 0 profiles are in complain mode. 4 processes have profiles defined. 4 processes are in enforce mode : /sbin/dhclient (4439) /usr/sbin/cupsd (795) /usr/sbin/mysqld (981) /usr/sbin/ntpd (4573) 0 processes are in complain mode. 0 processes are unconfined but have a profile defined. [hirasawa@aspire-white ~]$ [hirasawa@aspire-white ~]$ find /etc/apparmor apparmor/ apparmor.d/ [hirasawa@aspire-white ~]$ find /etc/apparmor* /etc/apparmor /etc/apparmor/init /etc/apparmor/init/network-interface-security /etc/apparmor/init/network-interface-security/usr.sbin.ntpd /etc/apparmor/init/network-interface-security/sbin.dhclient /etc/apparmor/severity.db /etc/apparmor/logprof.conf /etc/apparmor/subdomain.conf /etc/apparmor.d /etc/apparmor.d/abstractions /etc/apparmor.d/abstractions/mdns /etc/apparmor.d/abstractions/mysql /etc/apparmor.d/abstractions/ubuntu-feed-readers /etc/apparmor.d/abstractions/ubuntu-browsers.d /etc/apparmor.d/abstractions/ubuntu-browsers.d/mailto /etc/apparmor.d/abstractions/ubuntu-browsers.d/java /etc/apparmor.d/abstractions/ubuntu-browsers.d/kde /etc/apparmor.d/abstractions/ubuntu-browsers.d/multimedia /etc/apparmor.d/abstractions/ubuntu-browsers.d/text-editors /etc/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common /etc/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration /etc/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration-xul /etc/apparmor.d/abstractions/ubuntu-browsers.d/user-files /etc/apparmor.d/abstractions/ubuntu-browsers.d/firefox /etc/apparmor.d/abstractions/ubuntu-browsers.d/productivity /etc/apparmor.d/abstractions/user-write /etc/apparmor.d/abstractions/php5 /etc/apparmor.d/abstractions/svn-repositories /etc/apparmor.d/abstractions/apache2-common /etc/apparmor.d/abstractions/winbind /etc/apparmor.d/abstractions/ubuntu-konsole /etc/apparmor.d/abstractions/dbus /etc/apparmor.d/abstractions/smbpass /etc/apparmor.d/abstractions/ubuntu-gnome-terminal /etc/apparmor.d/abstractions/ubuntu-browsers /etc/apparmor.d/abstractions/ssl_keys /etc/apparmor.d/abstractions/ubuntu-console-browsers /etc/apparmor.d/abstractions/ssl_certs /etc/apparmor.d/abstractions/kde /etc/apparmor.d/abstractions/ubuntu-email /etc/apparmor.d/abstractions/samba /etc/apparmor.d/abstractions/nvidia /etc/apparmor.d/abstractions/bash /etc/apparmor.d/abstractions/launchpad-integration /etc/apparmor.d/abstractions/python /etc/apparmor.d/abstractions/likewise /etc/apparmor.d/abstractions/ruby /etc/apparmor.d/abstractions/perl /etc/apparmor.d/abstractions/ubuntu-bittorrent-clients /etc/apparmor.d/abstractions/audio /etc/apparmor.d/abstractions/ubuntu-console-email /etc/apparmor.d/abstractions/user-tmp /etc/apparmor.d/abstractions/xad /etc/apparmor.d/abstractions/orbit2 /etc/apparmor.d/abstractions/nis /etc/apparmor.d/abstractions/consoles /etc/apparmor.d/abstractions/gnome /etc/apparmor.d/abstractions/enchant /etc/apparmor.d/abstractions/video /etc/apparmor.d/abstractions/wutmp /etc/apparmor.d/abstractions/private-files-strict /etc/apparmor.d/abstractions/user-download /etc/apparmor.d/abstractions/private-files /etc/apparmor.d/abstractions/web-data /etc/apparmor.d/abstractions/evince /etc/apparmor.d/abstractions/base /etc/apparmor.d/abstractions/kerberosclient /etc/apparmor.d/abstractions/X /etc/apparmor.d/abstractions/aspell /etc/apparmor.d/abstractions/fonts /etc/apparmor.d/abstractions/cups-client /etc/apparmor.d/abstractions/ibus /etc/apparmor.d/abstractions/nameservice /etc/apparmor.d/abstractions/gnupg /etc/apparmor.d/abstractions/dbus-session /etc/apparmor.d/abstractions/freedesktop.org /etc/apparmor.d/abstractions/authentication /etc/apparmor.d/abstractions/ubuntu-xterm /etc/apparmor.d/abstractions/ubuntu-media-players /etc/apparmor.d/abstractions/user-manpages /etc/apparmor.d/abstractions/user-mail /etc/apparmor.d/usr.bin.firefox /etc/apparmor.d/usr.sbin.tcpdump /etc/apparmor.d/usr.sbin.ntpd /etc/apparmor.d/usr.bin.evince /etc/apparmor.d/disable /etc/apparmor.d/disable/usr.bin.firefox /etc/apparmor.d/sbin.dhclient3.dpkg-old /etc/apparmor.d/tunables /etc/apparmor.d/tunables/alias /etc/apparmor.d/tunables/proc /etc/apparmor.d/tunables/global /etc/apparmor.d/tunables/multiarch /etc/apparmor.d/tunables/home /etc/apparmor.d/tunables/ntpd /etc/apparmor.d/tunables/multiarch.d /etc/apparmor.d/tunables/home.d /etc/apparmor.d/tunables/home.d/ubuntu /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/gdm-guest-session /etc/apparmor.d/usr.sbin.cupsd /etc/apparmor.d/local /etc/apparmor.d/local/usr.bin.firefox /etc/apparmor.d/local/usr.sbin.tcpdump /etc/apparmor.d/local/usr.sbin.ntpd /etc/apparmor.d/local/usr.bin.evince /etc/apparmor.d/local/README /etc/apparmor.d/local/usr.sbin.mysqld /etc/apparmor.d/local/usr.sbin.cupsd /etc/apparmor.d/local/sbin.dhclient3 /etc/apparmor.d/local/sbin.dhclient /etc/apparmor.d/cache /etc/apparmor.d/cache/usr.sbin.tcpdump /etc/apparmor.d/cache/.features /etc/apparmor.d/cache/usr.sbin.ntpd /etc/apparmor.d/cache/usr.bin.evince /etc/apparmor.d/cache/usr.sbin.mysqld /etc/apparmor.d/cache/gdm-guest-session /etc/apparmor.d/cache/usr.sbin.cupsd /etc/apparmor.d/cache/sbin.dhclient /etc/apparmor.d/sbin.dhclient /etc/apparmor.d/force-complain [hirasawa@aspire-white ~]$
complain mode = SELinuxでいうところのpermissive mode
enforce mode = enforce mode
流れ的には
プロファイルがなければ aa-genprof で作る。
complainモードでしばらく学習させる。
aa-logprof で学習結果を反映させる。
問題なさそうならば enforceモードに切り替える。
