所以我们有一个django应用程序需要一个apparmorconfiguration文件(客户端的任务)。 它运行在位于/opt/fact-virtual-environment的Python虚拟环境中。 应用程序本身安装到/usr/share/fact
以下是我目前的个人资料(主要使用aa-genprof工具构build):
# Last Modified: Tue Jan 20 09:25:09 2015 #include <tunables/global> /usr/bin/fact flags=(audit) { #include <abstractions/apache2-common> #include <abstractions/base> #include <abstractions/bash> capability setgid,capability sys_resource,/usr/local/lib/python2.7/dist-packages/**/ rm,/usr/local/lib/python2.7/dist-packages/** rm,/usr/local/lib/python2.7/site-packages/**/ rm,/usr/local/lib/python2.7/site-packages/** rm,/etc/apparmor.d/** r,#/usr/lib/python2.7/**[^/] r,/usr/bin/sudo Ux,#/usr/bin/strace ux,/bin/bash rix,/bin/dash rix,/bin/uname rix,/dev/tty rw,/etc/default/locale r,#/etc/nsswitch.conf r,#/etc/group r,#/etc/passwd r,/etc/environment r,/etc/login.defs r,/etc/lsb-release r,/etc/fact/fact.ini r,/etc/python2.7/sitecustomize.py r,/etc/security/pam_env.conf r,/lib{,32,64}/** mr,/opt/fact-virtual-environment/**/ mr,/opt/fact-virtual-environment/lib/python2.7/**/ mr,/opt/fact-virtual-environment/lib/python2.7/** mr,/opt/fact-virtual-environment/bin/python rix,/run/utmp rk,/sbin/ldconfig rix,/sbin/ldconfig.real rix,/usr/bin/fact rix,/usr/lib{,/usr/share/fact/**/ r,/usr/share/fact/** r,/usr/share/pyshared/** r,/usr/share/pyshared/**/ r,}
…和/usr/bin/fact命令是一个简单的包装:
#!/bin/bash ## This script is for running the 'fact' command on staging/prod,it sudos to ## the 'fact' user before executing /opt/fact/bin/fact ## It is installed as '/usr/bin/fact' PYTHONPATH=/usr/share/fact PYTHON_BIN=/opt/fact-virtual-environment/bin/python DJANGO_SETTINGS_MODULE=fact.settings.staging if [ "$USER" != "fact" ]; then sudo -u fact $0 $*; else PYTHONPATH=${PYTHONPATH} DJANGO_SETTINGS_MODULE=${DJANGO_SETTINGS_MODULE} ${PYTHON_BIN} -m fact.managecommand $*; fi
我已经启用了很多读取权限,我知道我不需要,比如在debugging尝试中设置了整个/usr/local/lib/* 。 一些令我感到震惊的是,当我运行service apparmor reload (或重新启动)时,我的configuration文件似乎不会重新service apparmor reload 。 我似乎得到不同的结果,如果我重新启动服务与aa-complain usr.bin.fact紧跟着aa-enforce usr.bin.fact 。
在WIndows的Java中,如何检测文件是否具有“只读”属性
如何阻止Linux程序被打印屏蔽?
需要什么权限来安装和更新ActiveX控件?
XDebug主机 – 安全?
我如何只允许pipe理员在Windows中closures程序
现在当我运行我的命令并检查系统日志时,我看到以下内容:
Feb 11 15:08:48 spiffy kernel: [1228245.774660] type=1400 audit(1423620528.359:14142): apparmor="DENIED" operation="open" parent=12884 profile="/usr/bin/fact" name="/usr/local/lib/python2.7/site-packages/" pid=12885 comm="python" requested_mask="r" denied_mask="r" fsuid=111 ouid=0 Feb 11 15:08:48 spiffy kernel: [1228245.774855] type=1400 audit(1423620528.359:14143): apparmor="DENIED" operation="open" parent=12884 profile="/usr/bin/fact" name="/usr/local/lib/python2.7/dist-packages/" pid=12885 comm="python" requested_mask="r" denied_mask="r" fsuid=111 ouid=0 Feb 11 15:08:48 spiffy kernel: [1228245.775829] type=1400 audit(1423620528.359:14144): apparmor="DENIED" operation="open" parent=12884 profile="/usr/bin/fact" name="/usr/local/lib/python2.7/dist-packages/" pid=12885 comm="python" requested_mask="r" denied_mask="r" fsuid=111 ouid=0
..和我的Python应用程序barfs:
$ fact Traceback (most recent call last): File "/usr/lib/python2.7/runpy.py",line 162,in _run_module_as_main "__main__",fname,loader,pkg_name) File "/usr/lib/python2.7/runpy.py",line 72,in _run_code exec code in run_globals File "/usr/share/fact/fact/managecommand.py",line 6,in <module> execute_from_command_line(sys.argv) File "/opt/fact-virtual-environment/local/lib/python2.7/site-packages/django/core/management/__init__.py",line 385,in execute_from_command_line utility.execute() File "/opt/fact-virtual-environment/local/lib/python2.7/site-packages/django/core/management/__init__.py",line 345,in execute settings.INSTALLED_APPS File "/opt/fact-virtual-environment/local/lib/python2.7/site-packages/django/conf/__init__.py",line 46,in __getattr__ self._setup(name) File "/opt/fact-virtual-environment/local/lib/python2.7/site-packages/django/conf/__init__.py",line 42,in _setup self._wrapped = Settings(settings_module) File "/opt/fact-virtual-environment/local/lib/python2.7/site-packages/django/conf/__init__.py",line 98,in __init__ % (self.SETTINGS_MODULE,e) ImportError: Could not import settings 'fact.settings.staging' (Is it on sys.path? Is there an import error in the settings file?): cannot import name current_app
它正在寻找的设置文件位于/usr/share/fact/fact/settings/staging.py
我完全不能理解为什么我不能让这个应用程序在其apparmorconfiguration文件下运行。 configuration文件中的设置应该允许。 这是怎么回事?
如何使用ReflectionPermission来拒绝reflection
如何保护ajax内容
如何知道我的web服务在Visual Studio 2005下运行的帐户
存储Windows密码
我如何从C ++服务应用程序访问Windowslogin(authentication)API?
所有拒绝都在寻找这个特定的目录: /usr/local/lib/python2.7/dist-packages/
你的个人资料包括这个目录的一些孩子:
/usr/local/lib/python2.7/dist-packages/**/ rm,
但是它不包括这个特定的目录。 因此,将此添加到您的个人资料,重新加载配置文件,然后再试一次:
/usr/local/lib/python2.7/dist-packages/ r,
AppArmor使用尾部/来确定管理员是否打算允许获取目录列表而不是允许读取文件。
谢谢
您的个人资料缺少读取目录/usr/local/lib/python2.7/site-packages/的权限
你将需要添加/usr/local/lib/python2.7/site-packages/r,
您当前配置文件的权限允许访问/usr/local/lib/python2.7/site-packages/下的所有内容,但不能实际访问目录本身
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。