Skip to content

Experimental AppArmor on CentOS 5.5, x86_64

Warning! This is an experimental (RC) version of the kernel with experimental AppArmor patch in it, use at your own risk!

Kernel

Currently we ignore the CentOS-specific instructions, we build a simple vanilla kernel instead.

Obtaining

We need GIT. Either grab it from the RPMForge repository (yum install git) or if that doesn't work, then:

 rpm -i http://dag.linux.iastate.edu/dag/redhat/el5/en/x86_64/rpmforge/RPMS/git-1.7.1-3.el5.rf.x86_64.rpm http://dag.linux.iastate.edu/dag/redhat/el5/en/x86_64/rpmforge/RPMS/perl-Git-1.7.1-3.el5.rf.x86_64.rpm

Now we can check out the kernel:

 mkdir -p ~/apparmor/ && cd ~/apparmor/
 git clone git://git.kernel.org/pub/scm/linux/kernel/git/jj/apparmor-dev.git
 cd apparmor-dev/
 git checkout --track -b AA2.5-2.6.33 origin/AA2.5-2.6.33

Building

 cd ~/apparmor/apparmor-dev/

See if we can reuse the existing kernel configuration (CONFIG_IKCONFIG=y, CONFIG_IKCONFIG_PROC=y):

 cp /proc/config.gz ./ && gzip -d config.gz

Tweak the kernel, enable AppArmor and CONFIG_SYSFS_DEPRECATED_V2:

 yum install ncurses-devel
 make menuconfig

“Security options” ---> “AppArmor support”.

Warning! To boot CentOS 5.5 we have to switch on the old init tools support: CONFIG_SYSFS_DEPRECATED_V2=Y.

Installing

 cd ~/apparmor/apparmor-dev/
 yum install rpm-build
 make rpm
 rpm -i /usr/src/redhat/RPMS/x86_64/kernel-2.6.33-1.x86_64.rpm
 mkinitrd -f /boot/initrd-2.6.33.img 2.6.33

Try booting the new kernel with kexec:

 yum install kexec-tools
 kexec -l /boot/vmlinuz-2.6.33 --initrd=/boot/initrd-2.6.33.img --append=“ro root=LABEL=/ noapic”
 kexec -e

Edit “/boot/grub/grub.conf” and add:

 title AppArmor(2.6.33-1)
   root (hd0,0)
   kernel /vmlinuz-2.6.33 ro root=LABEL=/ noapic
   initrd /initrd-2.6.33.img

If this is your first grub.conf title, it makes sense to add

 fallback=1

Checking

Reboot under new kernel:

 /sbin/shutdown -r now

or

 reboot

Now see if AppArmor is loaded and enabled (should print “Y”):

 cat /sys/module/apparmor/parameters/enabled

Tools

For CentOS we will be building the AppArmor tools from source.

Necessary Perl packages

AppArmor tools depend on these additional Perl packages which we will let CentOS to maintain:

 yum install perl-libxml-perl

We also need Term::ReadKey, but it isn't available in the default CentOS install, perhaps you have it from RPMForge or some other repository:

 yum whatprovides “*/perl(Term::ReadKey)”
 yum whatprovides “*/perl(Locale::gettext)”
 yum whatprovides “*/perl(RPC::XML)”

with RPMForge it is:

 yum install perl-TermReadKey
 yum install perl-Locale-gettext
 yum install perl-RPC-XML

otherwise just grab it from the nearest RedHat repository:

 rpm -i http://dag.linux.iastate.edu/dag/redhat/el5/en/x86_64/rpmforge/RPMS/perl-TermReadKey-2.30-3.el5.rf.x86_64.rpm
 rpm -i http://dag.linux.iastate.edu/dag/redhat/el5/en/x86_64/rpmforge/RPMS/perl-Locale-gettext-1.05-1.el5.rf.x86_64.rpm
 rpm -i http://dag.linux.iastate.edu/dag/redhat/el5/en/x86_64/rpmforge/RPMS/perl-XML-Parser-2.36-1.el5.rf.x86_64.rpm
 rpm -i http://dag.linux.iastate.edu/dag/redhat/el5/en/x86_64/rpmforge/RPMS/perl-RPC-XML-0.71-1.el5.rf.noarch.rpm

Fetch and build

Make sure the necessary build tools and libraries are installed:

yum install bison gcc-c++ tetex-latex gettext-devel

We need a version of flex with “yypop_buffer_state” (the version from “yum install flex” is too old). Grab the fresh version from http://flex.sourceforge.net/:

 mkdir -p ~/apparmor/ && cd ~/apparmor/
 wget “http://downloads.sourceforge.net/project/flex/flex/flex-2.5.35/flex-2.5.35.tar.bz2"
 tar -xjf flex-2.5.35.tar.bz2
 cd flex-2.5.35/
 ./configure && make && make install && echo okay
 ```

Fetch a stable tools build [from launchpad](https://launchpad.net/apparmor)
mkdir -p ~/apparmor/ && cd ~/apparmor/ wget http://launchpad.net/apparmor/2.5/2.5.1/+download/apparmor-2.5.1.tar.gz tar -xzf apparmor-2.5.1.tar.gz 
Build parser:
cd ~/apparmor/apparmor-2.5.1/parser/ make LEX=/usr/local/bin/flex make install 
Build apparmor utils:
cd ~/apparmor/apparmor-2.5.1/utils/ make && make install && echo okay 
Create profiles directory:
cd ~/apparmor/apparmor-2.5.1/profiles/ make install 
#### Startup

Manual restart:
/etc/init.d/apparmor restart 
Automatic startup:
cd /etc/init.d/ chkconfig --add apparmor 
#### Checking

The `aa-status` tool now should print a list of known and used
profiles, like this:
apparmor module is loaded. 25 profiles are loaded. 25 profiles are in enforce mode. /bin/ping /sbin/klogd /sbin/syslog-ng /sbin/syslogd /usr/lib/apache2/mpm-prefork/apache2 /usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI /usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT /usr/lib/apache2/mpm-prefork/apache2//phpsysinfo /usr/lib/dovecot/deliver /usr/lib/dovecot/dovecot-auth /usr/lib/dovecot/imap /usr/lib/dovecot/imap-login /usr/lib/dovecot/managesieve-login /usr/lib/dovecot/pop3 /usr/lib/dovecot/pop3-login /usr/sbin/avahi-daemon /usr/sbin/dnsmasq /usr/sbin/dovecot /usr/sbin/identd /usr/sbin/mdnsd /usr/sbin/nmbd /usr/sbin/nscd /usr/sbin/ntpd /usr/sbin/smbd /usr/sbin/traceroute 0 profiles are in complain mode. 2 processes have profiles defined. 0 processes are in enforce mode : 0 processes are in complain mode. 2 processes are unconfined but have a profile defined. /sbin/klogd (2282) /sbin/syslogd (2278) 
#### Tuning logs

Audit data by default is dropped into /var/log/messages via
syslogd. That way, the data is severely capped by the kernel in order
not to overload the messages log. To make audit data usable with
AppArmor we should install auditd and tune it to keep large amounts
of data:
yum install audit joe /etc/audit/auditd.conf # num_logs = 2, max_log_file = 200 /etc/init.d/auditd restart ```