You are not logged in.

#1 2010-10-29 21:01:56

dyscoria
Member
Registered: 2008-01-10
Posts: 1,007

AppArmor: my progress so far

So apparmor is finally in the kernel! Life should be easy now right? ...

Wrong smile

I'm currently using a self built 2.6.36 kernel with the apparmor kernel module activated by default. You can also use the kernel in testing and pass the options on GRUB (possibly "apparmor=1" and "security=apparmor") as the arch devs have included the apparmor module in their build.

I've installed the apparmor userspace tools from AUR.

When running "aa-complain /etc/apparmor.d/*" I get a series of complaints:

Can't locate RPC/XML.pm in @INC (@INC contains: /usr/lib/perl5/site_perl /usr/share/perl5/site_perl /usr/lib/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib/perl5/core_perl /usr/share/perl5/core_perl /usr/lib/perl5/site_perl/5.10.1 /usr/share/perl5/site_perl/5.10.1 /usr/lib/perl5/current /usr/lib/perl5/site_perl/current .) at /usr/lib/perl5/vendor_perl/Immunix/Repository.pm line 29.
BEGIN failed--compilation aborted at /usr/lib/perl5/vendor_perl/Immunix/Repository.pm line 29.
Compilation failed in require at /usr/lib/perl5/vendor_perl/Immunix/SubDomain.pm line 41.
BEGIN failed--compilation aborted at /usr/lib/perl5/vendor_perl/Immunix/SubDomain.pm line 41.
Compilation failed in require at /usr/sbin/aa-complain line 28.
BEGIN failed--compilation aborted at /usr/sbin/aa-complain line 28.

I've thus far discovered extra dependencies required for the userspace tools (which allow me to get further with the aa-complain command before different errors appear):
perl-locale-gettext
perl-term-readkey
perl-rpc-xml

The last one on the list is in AUR but it refuses to install. Trying to build results in a series of failed tests. sad

Just wondering if anyone else is attempting to get AppArmor to work in Arch? I just can't figure out how to get perl-rpc-xml to build. I also naively hope this is the final hurdle required to get AppArmor to run! Then we can have the joys of trying to build profiles that work smile

Last edited by dyscoria (2010-10-29 21:05:45)


flack 2.0.6: menu-driven BASH script to easily tag FLAC files (AUR)
knock-once 1.2: BASH script to easily create/send one-time sequences for knockd (forum/AUR)

Offline

#2 2010-10-29 21:12:44

jelly
Trusted User (TU)
From: /dev/null
Registered: 2008-06-10
Posts: 711

Re: AppArmor: my progress so far

Hi, i am interested in it too, i  will be using the testing kernel and the apparmor userspace tools from AUR wink

I installed them both in a VM. 

[jelle@myhost ~]$ sudo cat /sys/module/apparmor/parameters/enabled 
Y

Except i can't start apparmor_status, because the module isn't loaded,  so hmm somehow it wasn't created?

Last edited by jelly (2010-10-29 22:09:55)

Offline

#3 2010-10-29 22:02:02

dyscoria
Member
Registered: 2008-01-10
Posts: 1,007

Re: AppArmor: my progress so far

Well now I've skipped running "make test" when building perl-rpc-xml (at the risk of something terrible happening). I've installed this half functional perl-rpc-xml package and rebuilt apparmor.

Running "aa-complain /etc/apparmor.d/*" now results in another error smile

Apparently it can't locate LibAppArmor.pm, which let's face it, doesn't sound promising.

Looking on here indicates that on debian, they have packages called libapparmor1 and libapparmor-perl (maybe related to the error??) which don't appear to be mentioned anywhere else on the internet or apparmor wiki, apart from as packages for debian and ubuntu.

So right now, i'm confused as hell lol.

Last edited by dyscoria (2010-10-29 22:02:49)


flack 2.0.6: menu-driven BASH script to easily tag FLAC files (AUR)
knock-once 1.2: BASH script to easily create/send one-time sequences for knockd (forum/AUR)

Offline

#4 2010-10-29 22:10:51

jelly
Trusted User (TU)
From: /dev/null
Registered: 2008-06-10
Posts: 711

Re: AppArmor: my progress so far

dyscoria wrote:

Well now I've skipped running "make test" when building perl-rpc-xml (at the risk of something terrible happening). I've installed this half functional perl-rpc-xml package and rebuilt apparmor.

Running "aa-complain /etc/apparmor.d/*" now results in another error smile

Apparently it can't locate LibAppArmor.pm, which let's face it, doesn't sound promising.

Looking on here indicates that on debian, they have packages called libapparmor1 and libapparmor-perl (maybe related to the error??) which don't appear to be mentioned anywhere else on the internet or apparmor wiki, apart from as packages for debian and ubuntu.

So right now, i'm confused as hell lol.

LibAppArmor.pm indicates that it's a perl package so you need to install that too?

Btw how did you get the apparmor module?

Offline

#5 2010-10-29 22:13:36

jelly
Trusted User (TU)
From: /dev/null
Registered: 2008-06-10
Posts: 711

Re: AppArmor: my progress so far

nevermind

[jelle@myhost ~]$ sudo apparmor_status
apparmor module is loaded.
You do not have enough privilege to read the profile set.

Offline

#6 2010-10-29 22:32:22

jelly
Trusted User (TU)
From: /dev/null
Registered: 2008-06-10
Posts: 711

Re: AppArmor: my progress so far

according to the CentOS wiki https://apparmor.wiki.kernel.org/index. … tro_CentOS we have everything.....

BTW check the comments on the perl-rpc-xml AUR page and change the dependency then the package works big_smile

Last edited by jelly (2010-10-29 22:33:48)

Offline

#7 2010-10-29 23:13:50

dyscoria
Member
Registered: 2008-01-10
Posts: 1,007

Re: AppArmor: my progress so far

jelly wrote:

according to the CentOS wiki https://apparmor.wiki.kernel.org/index. … tro_CentOS we have everything.....

BTW check the comments on the perl-rpc-xml AUR page and change the dependency then the package works big_smile

That's my comment on that AUR page tongue can you build it? I need to remove the line "make test &&" before the package builds.


flack 2.0.6: menu-driven BASH script to easily tag FLAC files (AUR)
knock-once 1.2: BASH script to easily create/send one-time sequences for knockd (forum/AUR)

Offline

#8 2010-10-30 01:53:30

juster
Forum Fellow
Registered: 2008-10-07
Posts: 195

Re: AppArmor: my progress so far

I've updated the perl-rpc-xml package. It requires perl-xml-parser and has an optional dependency on perl-xml-libxml. One test fails on me because of aliases for my localhost in /etc/hosts. The server is bound to my configured hostname while the test checks if it is set to localhost or something similar.

Sounds like you figured it out and have other problems, though. You might have to set the perl module search path to where LibAppArmor.pm is located... assuming it is built and installed somewhere. You can do this a number of ways, one is by setting the PERL5LIB environment variable.

I've noticed on the launchpad page for AppArmor that there are SWIG bindings to a few languages like perl. I would make sure SWIG is installed and it creates the perl binding when you compile AppArmor.

Offline

#9 2010-10-30 08:01:10

dyscoria
Member
Registered: 2008-01-10
Posts: 1,007

Re: AppArmor: my progress so far

Thanks juster for the quick package update smile
Turns out I had to turn off iptables to get perl-rpc-xml to build (first time I've ever had to do that for anything).

Right, so now I'm trying to figure out this LibAppArmor.pm stuff...looks like it should be installed in /usr/lib/perl5/LibAppArmor.pm when installing AppArmor, but it's not sad There's also a bunch of other libapparmor stuff that should be installed in /usr/lib.

I tried after installing SWIG and no success yet.


flack 2.0.6: menu-driven BASH script to easily tag FLAC files (AUR)
knock-once 1.2: BASH script to easily create/send one-time sequences for knockd (forum/AUR)

Offline

#10 2010-10-30 08:12:18

dyscoria
Member
Registered: 2008-01-10
Posts: 1,007

Re: AppArmor: my progress so far

Oh just seen all the comments on the apparmor AUR package! Look here for update on how far along apparmor is to getting integrated into Arch:
https://wiki.archlinux.org/index.php/AppArmor

Looks like there's a lot more to it than I originally hoped hmm

Last edited by dyscoria (2010-10-30 08:17:35)


flack 2.0.6: menu-driven BASH script to easily tag FLAC files (AUR)
knock-once 1.2: BASH script to easily create/send one-time sequences for knockd (forum/AUR)

Offline

#11 2010-10-30 10:02:57

flamelab
Member
From: Athens, Hellas (Greece)
Registered: 2007-12-26
Posts: 2,160

Re: AppArmor: my progress so far

The best way could be to have the Arch devs getting interested to it tongue

Using AppArmor, is there any performance impact ?

Offline

#12 2010-10-30 10:07:34

dyscoria
Member
Registered: 2008-01-10
Posts: 1,007

Re: AppArmor: my progress so far

AppArmor is meant to have less performance impact than SELinux. I haven't had the chance to get it running on Arch yet, but I think the performance impact is negligible on Ubuntu 10.10 unless you care about milliseconds.


flack 2.0.6: menu-driven BASH script to easily tag FLAC files (AUR)
knock-once 1.2: BASH script to easily create/send one-time sequences for knockd (forum/AUR)

Offline

#13 2010-10-30 10:43:42

jelly
Trusted User (TU)
From: /dev/null
Registered: 2008-06-10
Posts: 711

Re: AppArmor: my progress so far

flamelab wrote:

The best way could be to have the Arch devs getting interested to it tongue

Using AppArmor, is there any performance impact ?

haha well , the devs first want to try it / see it working wink

Offline

#14 2010-11-04 23:58:01

jelly
Trusted User (TU)
From: /dev/null
Registered: 2008-06-10
Posts: 711

Re: AppArmor: my progress so far

we just need a rc.d script to get it working wink

Offline

#15 2010-11-27 00:20:44

jowilkin
Member
Registered: 2009-05-07
Posts: 243

Re: AppArmor: my progress so far

Hate to bump an old thread, but what's the status on this effort?  I'd like to lend a hand if needed.  I work on the ArchServer project (http://www.archserver.org/) and would love to be able to offer AppArmor as an option in a future release.

Offline

#16 2010-11-27 00:35:50

thestinger
Trusted User (TU)
From: Toronto, Canada
Registered: 2010-01-23
Posts: 478

Re: AppArmor: my progress so far

See here. We pretty much just need the daemon script to get the basics working.

Offline

#17 2013-02-04 18:13:46

Moosey_Linux
Member
From: Malmö Sweden
Registered: 2012-07-01
Posts: 27

Re: AppArmor: my progress so far

Hi you guys ho is the app armor development going? I tried to install it from  AUR and added the apparmor=1 security=apparmor to my kernel line. Every thing was going well until i tried apparmor_status

apparmor module is loaded.
You do not have enough privilege to read the profile set.

How do i continue from her?
And thanks for developing and maintaining this nice security app

Offline

#18 2013-02-05 00:30:10

brebs
Member
Registered: 2007-04-03
Posts: 3,408

Re: AppArmor: my progress so far

Moosey_Linux wrote:

You do not have enough privilege to read the profile set.

Run apparmor_status as the root user.

Offline

#19 2013-02-05 22:32:27

Moosey_Linux
Member
From: Malmö Sweden
Registered: 2012-07-01
Posts: 27

Re: AppArmor: my progress so far

[root@Cikoniedoj svartastorken]# apparmor_status
apparmor module is loaded.
You do not have enough privilege to read the profile set.

It´s not it

Offline

#20 2013-06-17 08:50:54

brebs
Member
Registered: 2007-04-03
Posts: 3,408

Re: AppArmor: my progress so far

Moosey_Linux wrote:

You do not have enough privilege to read the profile set

I reckon you haven't installed the 2 AppArmor kernel patches.

Offline

Board footer

Powered by FluxBB