AppArmor: my progress so far

dyscoria · 2010-10-29 21:01:56

So apparmor is finally in the kernel! Life should be easy now right? ...

Wrong

I'm currently using a self built 2.6.36 kernel with the apparmor kernel module activated by default. You can also use the kernel in testing and pass the options on GRUB (possibly "apparmor=1" and "security=apparmor") as the arch devs have included the apparmor module in their build.

I've installed the apparmor userspace tools from AUR.

When running "aa-complain /etc/apparmor.d/*" I get a series of complaints:

Can't locate RPC/XML.pm in @INC (@INC contains: /usr/lib/perl5/site_perl /usr/share/perl5/site_perl /usr/lib/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib/perl5/core_perl /usr/share/perl5/core_perl /usr/lib/perl5/site_perl/5.10.1 /usr/share/perl5/site_perl/5.10.1 /usr/lib/perl5/current /usr/lib/perl5/site_perl/current .) at /usr/lib/perl5/vendor_perl/Immunix/Repository.pm line 29.
BEGIN failed--compilation aborted at /usr/lib/perl5/vendor_perl/Immunix/Repository.pm line 29.
Compilation failed in require at /usr/lib/perl5/vendor_perl/Immunix/SubDomain.pm line 41.
BEGIN failed--compilation aborted at /usr/lib/perl5/vendor_perl/Immunix/SubDomain.pm line 41.
Compilation failed in require at /usr/sbin/aa-complain line 28.
BEGIN failed--compilation aborted at /usr/sbin/aa-complain line 28.

I've thus far discovered extra dependencies required for the userspace tools (which allow me to get further with the aa-complain command before different errors appear):
perl-locale-gettext
perl-term-readkey
perl-rpc-xml

The last one on the list is in AUR but it refuses to install. Trying to build results in a series of failed tests.

Just wondering if anyone else is attempting to get AppArmor to work in Arch? I just can't figure out how to get perl-rpc-xml to build. I also naively hope this is the final hurdle required to get AppArmor to run! Then we can have the joys of trying to build profiles that work

Last edited by dyscoria (2010-10-29 21:05:45)

jelly · 2010-10-29 21:12:44

Hi, i am interested in it too, i will be using the testing kernel and the apparmor userspace tools from AUR

I installed them both in a VM.

[jelle@myhost ~]$ sudo cat /sys/module/apparmor/parameters/enabled 
Y

Except i can't start apparmor_status, because the module isn't loaded, so hmm somehow it wasn't created?

Last edited by jelly (2010-10-29 22:09:55)

dyscoria · 2010-10-29 22:02:02

Well now I've skipped running "make test" when building perl-rpc-xml (at the risk of something terrible happening). I've installed this half functional perl-rpc-xml package and rebuilt apparmor.

Running "aa-complain /etc/apparmor.d/*" now results in another error

Apparently it can't locate LibAppArmor.pm, which let's face it, doesn't sound promising.

Looking on here indicates that on debian, they have packages called libapparmor1 and libapparmor-perl (maybe related to the error??) which don't appear to be mentioned anywhere else on the internet or apparmor wiki, apart from as packages for debian and ubuntu.

So right now, i'm confused as hell lol.

Last edited by dyscoria (2010-10-29 22:02:49)

jelly · 2010-10-29 22:10:51

dyscoria wrote:

Well now I've skipped running "make test" when building perl-rpc-xml (at the risk of something terrible happening). I've installed this half functional perl-rpc-xml package and rebuilt apparmor.
Running "aa-complain /etc/apparmor.d/*" now results in another error
Apparently it can't locate LibAppArmor.pm, which let's face it, doesn't sound promising.
Looking on here indicates that on debian, they have packages called libapparmor1 and libapparmor-perl (maybe related to the error??) which don't appear to be mentioned anywhere else on the internet or apparmor wiki, apart from as packages for debian and ubuntu.
So right now, i'm confused as hell lol.

LibAppArmor.pm indicates that it's a perl package so you need to install that too?

Btw how did you get the apparmor module?

jelly · 2010-10-29 22:13:36

nevermind

[jelle@myhost ~]$ sudo apparmor_status
apparmor module is loaded.
You do not have enough privilege to read the profile set.

jelly · 2010-10-29 22:32:22

according to the CentOS wiki https://apparmor.wiki.kernel.org/index. … tro_CentOS we have everything.....

BTW check the comments on the perl-rpc-xml AUR page and change the dependency then the package works

Last edited by jelly (2010-10-29 22:33:48)

dyscoria · 2010-10-29 23:13:50

jelly wrote:

according to the CentOS wiki https://apparmor.wiki.kernel.org/index. … tro_CentOS we have everything.....
BTW check the comments on the perl-rpc-xml AUR page and change the dependency then the package works

That's my comment on that AUR page can you build it? I need to remove the line "make test &&" before the package builds.

juster · 2010-10-30 01:53:30

I've updated the perl-rpc-xml package. It requires perl-xml-parser and has an optional dependency on perl-xml-libxml. One test fails on me because of aliases for my localhost in /etc/hosts. The server is bound to my configured hostname while the test checks if it is set to localhost or something similar.

Sounds like you figured it out and have other problems, though. You might have to set the perl module search path to where LibAppArmor.pm is located... assuming it is built and installed somewhere. You can do this a number of ways, one is by setting the PERL5LIB environment variable.

I've noticed on the launchpad page for AppArmor that there are SWIG bindings to a few languages like perl. I would make sure SWIG is installed and it creates the perl binding when you compile AppArmor.

dyscoria · 2010-10-30 08:01:10

Thanks juster for the quick package update
Turns out I had to turn off iptables to get perl-rpc-xml to build (first time I've ever had to do that for anything).

Right, so now I'm trying to figure out this LibAppArmor.pm stuff...looks like it should be installed in /usr/lib/perl5/LibAppArmor.pm when installing AppArmor, but it's not There's also a bunch of other libapparmor stuff that should be installed in /usr/lib.

I tried after installing SWIG and no success yet.

dyscoria · 2010-10-30 08:12:18

Oh just seen all the comments on the apparmor AUR package! Look here for update on how far along apparmor is to getting integrated into Arch:
https://wiki.archlinux.org/index.php/AppArmor

Looks like there's a lot more to it than I originally hoped

Last edited by dyscoria (2010-10-30 08:17:35)

flamelab · 2010-10-30 10:02:57

The best way could be to have the Arch devs getting interested to it

Using AppArmor, is there any performance impact ?

dyscoria · 2010-10-30 10:07:34

AppArmor is meant to have less performance impact than SELinux. I haven't had the chance to get it running on Arch yet, but I think the performance impact is negligible on Ubuntu 10.10 unless you care about milliseconds.

jelly · 2010-10-30 10:43:42

flamelab wrote:

The best way could be to have the Arch devs getting interested to it
Using AppArmor, is there any performance impact ?

haha well , the devs first want to try it / see it working

jelly · 2010-11-04 23:58:01

we just need a rc.d script to get it working

jowilkin · 2010-11-27 00:20:44

Hate to bump an old thread, but what's the status on this effort? I'd like to lend a hand if needed. I work on the ArchServer project (http://www.archserver.org/) and would love to be able to offer AppArmor as an option in a future release.

thestinger · 2010-11-27 00:35:50

See here. We pretty much just need the daemon script to get the basics working.

Moosey_Linux · 2013-02-04 18:13:46

Hi you guys ho is the app armor development going? I tried to install it from AUR and added the apparmor=1 security=apparmor to my kernel line. Every thing was going well until i tried apparmor_status

apparmor module is loaded.
You do not have enough privilege to read the profile set.

How do i continue from her?
And thanks for developing and maintaining this nice security app

brebs · 2013-02-05 00:30:10

Moosey_Linux wrote:

You do not have enough privilege to read the profile set.

Run apparmor_status as the root user.

Moosey_Linux · 2013-02-05 22:32:27

[root@Cikoniedoj svartastorken]# apparmor_status
apparmor module is loaded.
You do not have enough privilege to read the profile set.

It´s not it

brebs · 2013-06-17 08:50:54

Moosey_Linux wrote:

You do not have enough privilege to read the profile set

I reckon you haven't installed the 2 AppArmor kernel patches.

Arch Linux

#1 2010-10-29 21:01:56

AppArmor: my progress so far

#2 2010-10-29 21:12:44

Re: AppArmor: my progress so far

#3 2010-10-29 22:02:02

Re: AppArmor: my progress so far

#4 2010-10-29 22:10:51

Re: AppArmor: my progress so far

#5 2010-10-29 22:13:36

Re: AppArmor: my progress so far

#6 2010-10-29 22:32:22

Re: AppArmor: my progress so far

#7 2010-10-29 23:13:50

Re: AppArmor: my progress so far

#8 2010-10-30 01:53:30

Re: AppArmor: my progress so far

#9 2010-10-30 08:01:10

Re: AppArmor: my progress so far

#10 2010-10-30 08:12:18

Re: AppArmor: my progress so far

#11 2010-10-30 10:02:57

Re: AppArmor: my progress so far

#12 2010-10-30 10:07:34

Re: AppArmor: my progress so far

#13 2010-10-30 10:43:42

Re: AppArmor: my progress so far

#14 2010-11-04 23:58:01

Re: AppArmor: my progress so far

#15 2010-11-27 00:20:44

Re: AppArmor: my progress so far

#16 2010-11-27 00:35:50

Re: AppArmor: my progress so far

#17 2013-02-04 18:13:46

Re: AppArmor: my progress so far

#18 2013-02-05 00:30:10

Re: AppArmor: my progress so far

#19 2013-02-05 22:32:27

Re: AppArmor: my progress so far

#20 2013-06-17 08:50:54

Re: AppArmor: my progress so far

Board footer