[apparmor] AppArmor and virtual hosts in Apache

[John Johansen]

On 05/02/2017 02:10 PM, Christian Boltz wrote:
> Hello,
> 
> Am Dienstag, 2. Mai 2017, 11:26:36 CEST schrieb John Johansen:
>> On 05/02/2017 01:58 AM, Lentes, Bernd wrote:
>>> ----- On Apr 29, 2017, at 3:02 AM, Seth Arnold 
> seth.arnold at canonical.com wrote:
>>>> On Wed, Apr 26, 2017 at 08:26:10PM +0200, Lentes, Bernd wrote:
> 
>>>>> I have a SLES 10 SP4 box.
> 
> That sounds like a terribly old AppArmor version, but still, 
> mod_apparmor probably didn't change too much in the meantime.
> 
> BTW: You might want to steal ;-) 
>     /etc/apparmor.d/abstractions/apache2-common
> from a more recent AppArmor release. Note that you'll probably have to 
> remove the "signal" rules - I'd be surprised if apparmor_parser on SLE10 
> can handle them.
> 
>> There are a couple of things that could be done to help. An
>> interactive learning mode could make the decision at request time, at
>> the cost of blocking until ready. We could also allow adding some
>> rules that would provide patterns for what kind of requests should map
>> to which profiles, or if they should create a new custom learning
>> profile.
> 
> Or you can do something simple and boring - create the hat manually in 
> the profile [1] (and reload the profile) before using it ;-)
> 
> That will stop the change_hat guessing and ensure everything gets logged 
> for the hat you want to use.
> 
well sure, if you know the hats you want in advance and the hat matches
the highest priority request. Otherwise if you want a request in one
of the lower priority requests you will be dealing with the same
issues we currently have.