From 4cfdf53921842b1b59fa5fd77777fb6065f6e977 Mon Sep 17 00:00:00 2001
From: Silvino <silvino@bk.ru>
Date: Wed, 12 Jun 2019 23:51:18 +0000
Subject: apparmor added profiles

---
 core/apparmor.html | 51 +++++++++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 47 insertions(+), 4 deletions(-)

(limited to 'core')

diff --git a/core/apparmor.html b/core/apparmor.html
index 5c9b541..0052a68 100644
--- a/core/apparmor.html
+++ b/core/apparmor.html
@@ -11,7 +11,7 @@
         <h1>2.6.1. AppArmor</h1>
 
         <p>Check <a href="linux.html#configure">kernel configuration</a> or
-        use the provided with <a href="reboot.html#linux">linux-gnu</a> port 
+        use the provided with <a href="reboot.html#linux">linux-gnu</a> port
         to support apparmor. <a href="https://gitlab.com/apparmor/apparmor/wikis/home">AppArmor</a> enforce rules on applications based
         on security policies. User space tools are provided by apparmor port
         and its dependencies, install them;</p>
@@ -48,7 +48,20 @@
 	aa-decode          aa-exec            aa-remove-unknown
 	</pre>
 
-	<p>apparmor_parser options;</p>
+        <h2 id="profiles">Profiles</h2>
+
+	<p>Profiles are located at /etc/apparmor.d/ and
+        /usr/share/apparmor/extra-profiles contain profiles
+        that require testing;
+
+        <pre>
+        # cp -r /usr/share/apparmor/extra-profiles/* /etc/apparmor.d/
+        # sudo rm /etc/apparmor.d/README
+        # bash /etc/rc.d/apparmor restart
+        </pre>
+
+        <p>Profiles are parsed using
+        apparmor_parser;</p>
 
         <pre>
 	Usage: apparmor_parser [options] [profile]
@@ -93,11 +106,41 @@
 	--skip-bad-cache-rebuild Do not try rebuilding the cache if it is rejected by the kernel
 	--warn n                Enable warnings (see --help=warn)
 	</pre>
-	#
+
+        <h3 id="auto_profiles">Create profile with audit</h3>
+
+        <h3 id="man_profiles">Create profile manually</h3>
+
+        <p>To create a new profile, let's say for lynx,
+        first find where the application is;</p>
+
+        <pre>
+        $ whereis lynx
+        lynx: /usr/bin/lynx /usr/etc/lynx.lss /usr/etc/lynx.cfg /usr/etc/lynx.cfg~ /usr/share/man/man1/lynx.1.gz
+        </pre>
+
+        <p>Now create a file with path to executable in
+        /etc/apparmor.d;</p>
+
+        <pre>
+        # vim /etc/apparmor.d/usr.bin.lynx
+        </pre>
+
+        <p>Create basic profile template;</p>
+
+        <pre>
+        #include &lt;tunables/global&gt;
+
+        profile lynx /usr/bin/lynx {
+          #include &lt;abstractions/base&gt;
+        }
+        </pre>
+
+
 
         <a href="index.html">Core OS Index</a>
         <p>This is part of the Hive System Documentation.
-        Copyright (C) 2018
+        Copyright (C) 2019
         Hive Team.
         See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
         for copying conditions.</p>
-- 
cgit 1.4.1-2-gfad0