Results 1 to 6 of 6

Thread: RBAC pam apparmor

  1. #1

    Arrow RBAC pam apparmor

    Hello!, I'm trying to implement some basic role based access control on my system as described here; https://gitlab.com/apparmor/apparmor...s/pam_apparmor, and here; https://gitlab.com/apparmor/apparmor...parmor_example. I've added the files as described and added a little test line for the confined_user profile in pam_roles, as such:

    profile confined_user {
    ...
    deny /home/USERNAME/testfile rwk,
    }

    I can see that the correct profile is in enforce mode (/bin/su//USERNAME), I have libpam-apparmor installed, I've added the necessary lines in the su pam configuration file. Yet if I su to USERNAME I can still edit and read the testfile logged in as USERNAME. If I change the apparmor line in /etc/pam.d I cannot use su anymore (su: cannot open session: System error) which means that the transition isn't hapenning .

    How do I get this to work?
    Also, where may I find better (more recent?) and more complete documentation of pam apparmor and apparmor RBAC?




    ---------------------------
    Here are the files I've used (more or less the same ass the pam apparmor example linked above above)
    /etc/pam-d/su https://pastebin.com/X1a5UAbZ
    /etc/apparmor.d/pam_roles https://pastebin.com/rU0vnTtU (replaced my actual username with USERNAME)
    /etc/apparmor.d/pam_binaries https://pastebin.com/MyaRj18Z
    /etc/apparmor.d/pa/mappings https://pastebin.com/maFMFpxP

  2. #2

    Default Re: RBAC pam apparmor

    Minor errors in the text: The error "su: cannot open session: System error" happens when I change the pam apparmor line from optional to required.
    There are also some irrelevant grammatical errors in the file paths before the pastebin links.

  3. #3

    Default Re: RBAC pam apparmor

    Also, here are the error messages when I try to su from user olof to admin
    https://pastebin.com/AVw5PEVK

  4. #4
    Join Date
    Sep 2012
    Posts
    7,870

    Default Re: RBAC pam apparmor

    Quote Originally Posted by gertrud.af.svaneholm View Post
    Minor errors in the text: The error "su: cannot open session: System error" happens when I change the pam apparmor line from optional to required.
    Is pam_apparmor installed?

    P.S. please always put computer text inside [code]...[/code] tags.
    P.P.S. please upload information to https://susepaste.org, not to commercial sites. Not everyone can or want access them.

  5. #5

    Default Re: RBAC pam apparmor

    Quote Originally Posted by arvidjaar View Post
    Is pam_apparmor installed?

    P.S. please always put computer text inside [code]...[/code] tags.
    P.P.S. please upload information to https://susepaste.org, not to commercial sites. Not everyone can or want access them.

    Sorry about that, first time posting here.
    Yes libpam-apparmor is installed.

  6. #6
    Join Date
    Sep 2012
    Posts
    7,870

    Default Re: RBAC pam apparmor

    Quote Originally Posted by gertrud.af.svaneholm View Post
    Yes libpam-apparmor is installed.
    Such package does not exist in openSUSE. I asked about pam_apparmor.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •