sudo aa-genprof apache2
When you see the following message
Would you like to enable access to the
profile repository?
(E)nable Repository / (D)isable Repository / Ask Me (L)ater
Select E for enable.
You’ll see the following message
Writing updated profile for /usr/sbin/apache2.
Setting /usr/sbin/apache2 to complain mode.
Please start the application to be profiled in
another window and exercise its functionality now.
Once completed, select the “Scan” button below in
order to scan the system logs for AppArmor events.
For each AppArmor event, you will be given the
opportunity to choose whether the access should be
allowed or denied.
Profiling: /usr/sbin/apache2
[(S)can system log for SubDomain events] / (F)inish
Select Finish and you’ll see the following message
Setting /usr/sbin/apache2 to enforce mode.
Reloaded SubDomain profiles in enforce mode.
Finished generating profile for /usr/sbin/apache2.
Edit the newly created apparmor profile and add the following lines within ^DEFAULT_URI bracket
/usr/sbin/suexec2 rix,
/usr/share/apache2/** r,
/var/log/apache2/** rwl,
/var/www/** r,
Set the newly created apache2 apparmor profile to complain mode then restart apache2
sudo aa-complain /etc/apparmor.d/usr.sbin.apache2
sudo /etc/init.d/apache2 restart
After running apache for a while, we can update the apparmor profile.
sudo aa-logprof
This is my apparmor apache file, it’s pretty basic since I don’t run any php scripts just static pages. I suspect that I would certainly have more to it if I did, but it works for me. I’m currently running Ubuntu Hardy Heron.
Continue reading →