TAµÄÿÈÕÐÄÇé | ·Ü¶· 2018-8-22 10:21 |
---|
Ç©µ½ÌìÊý: 80 Ìì [LV.6]³£×¡¾ÓÃñII
|
[ÐøÕýÎÄ]
ÔÎÄÁ´½Ó£ºhttp://www.lenky.info/archives/2014/05/2405
²é¿´Éú³ÉµÄprofileÎļþ£º
- lenky@local:~$ sudo cat /etc/apparmor.d/usr.sbin.nginx
¸´ÖÆ´úÂë- /etc/group r,
- /etc/nginx/conf.d/ r,
- /etc/nginx/mime.types r,
- /etc/nginx/nginx.conf r,
- /etc/nginx/sites-enabled/ r,
- /etc/nsswitch.conf r,
- /etc/passwd r,
- /etc/ssl/openssl.cnf r,
- /run/nginx.pid w,
- /usr/sbin/nginx mr,
- /var/log/nginx/error.log a,
¸´ÖÆ´úÂë
¿ÉÒÔ¿´µ½»¹Óкܶà²Ù×÷ûÓв¶»ñµ½£¬±ÈÈç¶Ôaccess.logÎļþµÄ·ÃÎÊ¡£
Ö´ÐÐÃüÁsudo aa-logprof
¿ÉÒÔ¼ÌÐøÉèÖÃÕâЩȨÏÞµÄȨÏÞ£º
- lenky@local:~$ sudo aa-logprof
- Reading log entries from /var/log/syslog.
- Updating AppArmor profiles in /etc/apparmor.d.
- Complain-mode changes:
- WARN: unknown capability: CAP_dac_override
-
- Profile: /usr/sbin/nginx
- Capability: dac_override
- Severity: unknown
-
- [(A)llow] / (D)eny / (I)gnore / Audi(t) / Abo(r)t / (F)inish
¸´ÖÆ´úÂë
¼ÌÐø°´a°ÑËùÓвÙ×÷¶¼ÉèÖÃΪallow£¬×îºó°´s±£´æÅäÖᣴËʱ£¬²Ù×÷ȨÏÞÉèÖøü¶àÁË£º
- lenky@local:~$ sudo cat /etc/apparmor.d/usr.sbin.nginx
- # Last Modified: Thu May 29 16:48:58 2014
- #include <tunables/global>
-
- /usr/sbin/nginx flags=(complain)
- #include <abstractions/base>
- #include <abstractions/nis>
- capability dac_override,
- capability dac_read_search,
- capability net_bind_service,
- capability setgid,
-
- /etc/group r,
- /etc/nginx/conf.d/ r,
- /etc/nginx/mime.types r,
- /etc/nginx/nginx.conf r,
- /etc/nginx/sites-available/default r,
- /etc/nginx/sites-enabled/ r,
- /etc/nsswitch.conf r,
- /etc/passwd r,
- /etc/ssl/openssl.cnf r,
- /run/nginx.pid rw,
- /usr/sbin/nginx mr,
- /usr/share/nginx/html/appamror/allow.html r,
- /usr/share/nginx/html/appamror/deny.html r,
- /var/log/nginx/access.log w,
- /var/log/nginx/error.log w,
¸´ÖÆ´úÂë
Èç¹ûûÓÐеIJÙ×÷ÐèÒªÉèÖÃȨÏÞ£¬ÄÇôִÐÐaa-logprofµÄ½á¹ûÊÇÕâÑùµÄ£º
- lenky@local:~$ sudo aa-logprof
- Reading log entries from /var/log/syslog.
- Updating AppArmor profiles in /etc/apparmor.d.
- Complain-mode changes:
- Enforce-mode changes:
¸´ÖÆ´úÂë
Ö®ËùÒÔÒª°ÑËùÓвÙ×÷¶¼Ä¬ÈÏÉèÖÃΪÔÊÐí£¬ÊÇÒòΪÏÂÃæÒª°ÑÕâ¸öprofile¸ÄΪenforce£¬È»ºóÖØÆônginx£¬Èç¹û²»²¶»ñÈ«²¿²Ù×÷£¬ÄÇôĬÈϽûÖ¹»áµ¼ÖÂnginxÆô¶¯²»ÁË¡£
- lenky@local:~$ sudo aa-enforce nginx
- Setting /usr/sbin/nginx to enforce mode.
- lenky@local:~$ sudo /etc/init.d/apparmor restart
- * Reloading AppArmor profiles Skipping profile in /etc/apparmor.d/disable: usr.bin.firefox
- Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
- [ OK ]
- lenky@local:~$ sudo /etc/init.d/nginx restart
- * Restarting nginx nginx [fail]
- lenky@local:~$ sudo nginx
- nginx: [emerg] socket() 0.0.0.0:80 failed (13: Permission denied)
¸´ÖÆ´úÂë
ÒÔÇ°ÃæµÄprofileÅäÖÃÀ´¿´£¬nginxÈÔÈ»Æô¶¯²»ÁË£¬ÔÒòÊÇûÓÐÉèÖÃnginx¶Ô80¶Ë¿ÚµÄȨÏÞ¡£
»»³ÉÕâ¸ö£¨À´Ö®£ºhttp://jdh8.github.io/linux/apparmor-nginx-php-fpm/£©£º
- lenky@local:~$ sudo cat /etc/apparmor.d/usr.sbin.nginx
- # Last Modified: Thu May 29 17:11:18 2014
- #include <tunables/global>
-
- /usr/sbin/nginx
- #include <abstractions/apache2-common>
- #include <abstractions/base>
- #include <abstractions/nis>
-
-
- capability dac_override,
- capability dac_read_search,
- capability net_bind_service,
- capability setgid,
- capability setuid,
-
- /etc/nginx/** r,
- /etc/ssl/openssl.cnf r,
- /proc/*/auxv r,
- /run/nginx.pid rw,
- /run/nginx.pid.oldbin w,
- /run/php5-fpm.sock rw,
- /srv/www/** r,
- /usr/sbin/nginx mr,
- /usr/share/nginx/html/** r,
- /var/log/nginx/* w,
¸´ÖÆ´úÂë
ÖØÆôÉúЧ£º
- lenky@local:~$ sudo /etc/init.d/apparmor restart
- * Reloading AppArmor profiles Skipping profile in /etc/apparmor.d/disable: usr.bin.firefox
- Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
- [ OK ]
- lenky@local:~$ sudo /etc/init.d/nginx restart
- * Restarting nginx nginx [ OK ]
- lenky@local:~$ wget 127.0.0.1
- --2014-05-29 17:13:48-- http://127.0.0.1/
- ÕýÔÚÁ¬½Ó 127.0.0.1:80... ÒÑÁ¬½Ó¡£
- ÒÑ·¢³ö HTTP ÇëÇó£¬ÕýÔڵȴý»ØÓ¦... 200 OK
- ³¤¶È£º 612 1
- ÕýÔÚ±£´æÖÁ: ¡°index.html¡±
-
- 100%[=============================================================================================================>] 612 --.-K/s ÓÃʱ 0s
-
- 2014-05-29 17:13:48 (115 MB/s) - Òѱ£´æ ¡°index.html¡± [612/612])
-
- lenky@local:~$
¸´ÖÆ´úÂë
ÔÙÑéÖ¤£¬ÔÚ/etc/apparmor.d/usr.sbin.nginxÀï¼ÓÒ»ÐУº
- deny /usr/share/nginx/html/appamror/deny.html r,
¸´ÖÆ´úÂë
²âÊÔ£º
- lenky@local:~$ sudo /etc/init.d/apparmor restart
- * Reloading AppArmor profiles Skipping profile in /etc/apparmor.d/disable: usr.bin.firefox
- Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
- [ OK ]
- lenky@local:~$ sudo /etc/init.d/nginx restart
- * Restarting nginx nginx [ OK ]
- lenky@local:~$
- lenky@local:~$ wget 127.0.0.1/appamror/allow.html
- --2014-05-29 17:16:28-- http://127.0.0.1/appamror/allow.html
- ÕýÔÚÁ¬½Ó 127.0.0.1:80... ÒÑÁ¬½Ó¡£
- ÒÑ·¢³ö HTTP ÇëÇó£¬ÕýÔڵȴý»ØÓ¦... 200 OK
- ³¤¶È£º 33 1
- ÕýÔÚ±£´æÖÁ: ¡°allow.html.1¡±
-
- 100%[=============================================================================================================>] 33 --.-K/s ÓÃʱ 0s
-
- 2014-05-29 17:16:28 (6.73 MB/s) - Òѱ£´æ ¡°allow.html.1¡± [33/33])
-
- lenky@local:~$ wget 127.0.0.1/appamror/deny.html
- --2014-05-29 17:16:34-- http://127.0.0.1/appamror/deny.html
- ÕýÔÚÁ¬½Ó 127.0.0.1:80... ÒÑÁ¬½Ó¡£
- ÒÑ·¢³ö HTTP ÇëÇó£¬ÕýÔڵȴý»ØÓ¦... 403 Forbidden
- 2014-05-29 17:16:34 ´íÎó 403£ºForbidden¡£
¸´ÖÆ´úÂë
¿ÉÒÔ¿´µ½Ò³Ãædeny.htmlû·¨·ÃÎÊÁË£¬¶øÈ¥µôdenyÐкóÓÖ¿ÉÒÔ·ÃÎÊÁË£¬ËµÃ÷apparmorµÄprofileÉèÖÃÉúЧÁË¡£
²Î¿¼£ºhttp://ubuntuforums.org/showthread.php?t=1008906
|
|