systeme:apparmor
Différences
Ci-dessous, les différences entre deux révisions de la page.
Les deux révisions précédentesRévision précédenteProchaine révision | Révision précédente | ||
systeme:apparmor [2015/08/15 10:05] – [Type de permission] root | systeme:apparmor [2016/10/08 16:34] (Version actuelle) – [Liens] root | ||
---|---|---|---|
Ligne 3: | Ligne 3: | ||
* [[http:// | * [[http:// | ||
* [[https:// | * [[https:// | ||
+ | * [[https:// | ||
===== Description ===== | ===== Description ===== | ||
AppArmor permet à l' | AppArmor permet à l' | ||
Ligne 14: | Ligne 14: | ||
* **a** : Append mode (mutually exclusive to w) | * **a** : Append mode (mutually exclusive to w) | ||
* **k** : File locking mode | * **k** : File locking mode | ||
- | * **px** : Discrete | + | |
- | * **Px** : Discrete | + | * **ux** : Execute unconfined (preserve environment) -- WARNING: should only be used in very special cases |
- | * **ux** : Unconstrained execute mode | + | * **Ux** : Execute unconfined (scrub the environment) |
- | * **Ux** : Unconstrained execute mode—clean exec | + | |
- | * **ix** : Inherit execute mode | + | * **Px** : Execute under a specific |
+ | * **pix** : as px but fallback to inheriting the current profile if the target profile is not found | ||
+ | * **Pix** : as Px but fallback to inheriting the current profile if the target profile is not found | ||
+ | * **pux** : as px but fallback to executing unconfined if the target profile is not found | ||
+ | * **Pux** : as Px but fallback to executing unconfined if the target profile is not found | ||
+ | | ||
+ | * **cx** : Execute and transition to a child profile (preserve the environment) | ||
+ | * **Cx** : Execute and transition to a child profile (scrub the environment) | ||
+ | * **cix** : as cx but fallback to inheriting the current profile if the target profile is not found | ||
+ | * **Cix** : as Cx but fallback to inheriting the current profile if the target profile is not found | ||
+ | * **cux** : as cx but fallback to executing unconfined if the target profile is not found | ||
+ | * **Cux** : as Cx but fallback to executing unconfined if the target profile is not found | ||
* **m** : Allow PROT_EXEC with mmap(2) calls | * **m** : Allow PROT_EXEC with mmap(2) calls | ||
* **l** : Link mode | * **l** : Link mode | ||
Ligne 25: | Ligne 36: | ||
* **deny** : explicitly deny, without logging | * **deny** : explicitly deny, without logging | ||
* **audit deny** : combination to explicitly deny, but log | * **audit deny** : combination to explicitly deny, but log | ||
- | * **quiet** : Enlève le flag audit | + | * **quiet** : clears |
< | < | ||
Ligne 165: | Ligne 176: | ||
===== apparmor_parser ===== | ===== apparmor_parser ===== | ||
+ | * Voir ce qu'il y a de charger dans le profil apache2 : | ||
+ | < | ||
+ | $ apparmor_parser -Q --debug / | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | $ apparmor_parser -p / | ||
+ | </ | ||
+ | |||
* Recharger le profile ping : | * Recharger le profile ping : | ||
< | < | ||
$ apparmor_parser -r / | $ apparmor_parser -r / | ||
</ | </ |
systeme/apparmor.1439633152.txt.gz · Dernière modification : 2015/08/15 10:05 de root