or, maybe you want to explain what it is you try to do:
-deny wget to some/all local users
-deny ftp fetch to all/some local users
-deny http fetch to all/some local users
-deny https fetch to some/all local users
-or what?
Seems to me that selinux is more what you are looking for. I could be wrong but I thought that AppArmor was more aimed at defining and preventing system changes then in restricting access.
>
> I see that you confused by application that I choose for testing. I want
> somebody to explain me how to activate network restrictions with my
> AppArmor.
>
>
can you check as root with
Yes, the profile is loaded and enforced. Moreover wget can’t write downloaded file to filesystem because of apparmor write restrictions. I am little confused by absence of ‘socket_create’ messages in my /var/log/audit/audit.log
>
> Yes, the profile is loaded and enforced. Moreover wget can’t write
> downloaded file to filesystem because of apparmor write restrictions. I
> am little confused by absence of ‘socket_create’ messages in my
> /var/log/audit/audit.log
>
>
Ok, I have to say I never tried to use the network access/deny features of
apparmor (only file related things). So this is also new to me and I have to
check in baby steps how it works, it is something I am also interested in.
Just to be sure that the network access restrictions work at all I took the
bin.ping profile from /etc/apparmor.d and edited it so that network is
disabled
>
> As far as I understand from kernel source, we should see
> operation=“socket_create” when ‘network’ is active.
>
>
Basically I would expect to see something like this, but ping is raw no
packets or socket so I am unsure.
At this point I think I have to read the docs for the network access control
via apparmor again. I cannot interpret the behaviour I see and this means I
did not really understand how it is supposed to work. Maybe I missed
something obvious.
Google also does not give me that much useful information about it.
> Basically I would expect to see something like this, but ping is raw no
> packets or socket so I am unsure.
>
Sorry typo, of course packets but should have been: no protocoll
i really do not know how much they will help you as (i guess) that forum is aimed at supporting
paying customers (using SLED/S) but, perhaps if you lay out your question clearly, and ‘forget’ to
mention “openSUSE 11.2” you will have your answer before they ask (if they ever do)…i mean, they
may want to know that the Russian documentation is unclear…
actually, i do not know–maybe they welcome you with open arms…paid support or not…
i do know your login credentials here will get you into their fora also…
OH!!! the SLES/SLED free download includes “free updates and maintenance for 60 days”
<http://www.novell.com/linux/download_linux.html> you might consider installing it in a sandbox and
set it up for your apparmor questions…
who knows you might like it so much you buy the support/update package (at least it wont go
unsupported in May 2011 as the openSUSE 11.2 will)
matwey wrote:
> I think I should fill a bug in bugzilla. But maybe there is
> explanation. Let’s wait a little.
understand, and can’t disagree…i was thinking that maybe if you post
to the novell forum you might catch a apparmor guru there (not that
Martin is not)…
also, since this forum is populated mostly by folks with needs a lot
less technical than yours [mostly n00bs jumping off the Redmond
ship] you might find more help/info in a mail list, see: http://en.opensuse.org/Communicate/Mailinglists
matwey wrote:
> ‘AppArmor: ‘network’ rule - NOVELL FORUMS’
> (http://tinyurl.com/yah52gg)
>
> I think I should fill a bug in bugzilla. But maybe there is
> explanation. Let’s wait a little.
>
After reading the official documentation on apparmor again, I cannot find
what’s wrong. In my understanding it should work as you tried it.
So I am also interested in the answer you receive at the novell forum.