Hello!, I’m trying to implement some basic role based access control on my system as described here; https://gitlab.com/apparmor/apparmor/-/wikis/pam_apparmor, and here; https://gitlab.com/apparmor/apparmor/-/wikis/Pam_apparmor_example. I’ve added the files as described and added a little test line for the confined_user profile in pam_roles, as such:
profile confined_user {
…
deny /home/USERNAME/testfile rwk,
}
I can see that the correct profile is in enforce mode (/bin/su//USERNAME), I have libpam-apparmor installed, I’ve added the necessary lines in the su pam configuration file. Yet if I su to USERNAME I can still edit and read the testfile logged in as USERNAME. If I change the apparmor line in /etc/pam.d I cannot use su anymore (su: cannot open session: System error) which means that the transition isn’t hapenning :(.
How do I get this to work?
Also, where may I find better (more recent?) and more complete documentation of pam apparmor and apparmor RBAC?
Here are the files I’ve used (more or less the same ass the pam apparmor example linked above above)
/etc/pam-d/su https://pastebin.com/X1a5UAbZ
/etc/apparmor.d/pam_roles https://pastebin.com/rU0vnTtU (replaced my actual username with USERNAME)
/etc/apparmor.d/pam_binaries https://pastebin.com/MyaRj18Z
/etc/apparmor.d/pa/mappings https://pastebin.com/maFMFpxP