Hi,

i'm pretty new to AppArmor and have some basic questions.
I have an apache running some virtual hosts. One vhost should be protected by AppArmor, the others not.
Furthermore the other vhosts should NOT BE CONFINED OR DISTURBED by AppArmor.
Does it matter if it is a namebased or ip-based vhost ?

I have a SLES 10 SP4 box.

I installed apparmor and the module for apache. The module is enabled. I added the following to the conf-file of the vhost:

AADefaultHatName genetrap
This is the vhost i want to confine.

To /etc/apparmor.d/usr.sbin.httpd2-prefork i added the following:

/usr/sbin/httpd2-prefork//genetrap flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice>
}
It seems this is the suse way to define a subprofile, i also saw subprofiles definitions beginning with an ^ and afterwards just the name of the hat,
but included in the block of the profile of /usr/sbin/httpd2-prefork.
Is both correct ? Is there a reason to prefer one ?

Restarts of apache and apparmor don't complain.

Having a look in /var/log/audit/audit.log shows lines like:
type=APPARMOR_ALLOWED msg=audit(1493230551.040:17953): type=1502 operation="inode_permission" requested_mask="r" denied_mask="r" name="/usr/share/apache2/error/include/top.html" pid=3405 profile="/usr/sbin/httpd2-prefork//genetrap"

Does that mean that the profile is running fine ?

Is the procedure i did correct ?
aa-status does not show the newly created subprofile.
I saw documents in the net where aa-status shows the subprofiles, but they used a newer version of apparmor.
Maybe it's related to this.

pc52842:~ # aa-status
apparmor module is loaded.
11 profiles are loaded.
10 profiles are in enforce mode.
/usr/sbin/ntpd
/usr/sbin/identd
/sbin/klogd
/sbin/syslogd
/sbin/syslog-ng
/usr/sbin/traceroute
/usr/sbin/nscd
/bin/ping
/usr/sbin/mdnsd
/usr/sbin/named
1 profiles are in complain mode.
/usr/sbin/httpd2-prefork
15 processes have profiles defined.
3 processes are in enforce mode :
/sbin/syslog-ng (3084)
/usr/sbin/nscd (3762)
/sbin/klogd (3087)
12 processes are in complain mode.
/usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3410)
/usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3408)
/usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3030)
/usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3407)
/usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3032)
/usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3031)
/usr/sbin/httpd2-prefork (3028)
/usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (11334)
/usr/sbin/httpd2-prefork (3027)
/usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3029)
/usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3409)
/usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3405)
0 processes are unconfined but have a profile defined.

Is that correct ? Is it possible now to have the vhost running for a certain time in complain mode and then
use logprof to create a profile just for this one vhost ? Is it possible to confine just one vhost, not the other ones ?
Can i ran a subprofile for a vhost in enforce mode, but the profile for httpd2 still in complain mode (to not disturb the other vhosts) ?

Or is the idea to tricky and i should use a vm with a dedicated apache just for this vhost and confine just this apache instance ?
It's important that the other vhosts are not confined/disturbed, because they are running important web applications for ourselves.


Thanks.


Bernd