SLES 10 SP4: Apache, AppArmor and virtual hosts


i’m pretty new to AppArmor and have some basic questions.
I have an apache running some virtual hosts. One vhost should be protected by AppArmor, the others not.
Furthermore the other vhosts should NOT BE CONFINED OR DISTURBED by AppArmor.
Does it matter if it is a namebased or ip-based vhost ?

I have a SLES 10 SP4 box.

I installed apparmor and the module for apache. The module is enabled. I added the following to the conf-file of the vhost:

AADefaultHatName genetrap
This is the vhost i want to confine.

To /etc/apparmor.d/usr.sbin.httpd2-prefork i added the following:

/usr/sbin/httpd2-prefork//genetrap flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice>
It seems this is the suse way to define a subprofile, i also saw subprofiles definitions beginning with an ^ and afterwards just the name of the hat,
but included in the block of the profile of /usr/sbin/httpd2-prefork.
Is both correct ? Is there a reason to prefer one ?

Restarts of apache and apparmor don’t complain.

Having a look in /var/log/audit/audit.log shows lines like:
type=APPARMOR_ALLOWED msg=audit(1493230551.040:17953): type=1502 operation=“inode_permission” requested_mask=“r” denied_mask=“r” name="/usr/share/apache2/error/include/top.html" pid=3405 profile="/usr/sbin/httpd2-prefork//genetrap"

Does that mean that the profile is running fine ?

Is the procedure i did correct ?
aa-status does not show the newly created subprofile.
I saw documents in the net where aa-status shows the subprofiles, but they used a newer version of apparmor.
Maybe it’s related to this.

pc52842:~ # aa-status
apparmor module is loaded.
11 profiles are loaded.
10 profiles are in enforce mode.
1 profiles are in complain mode.
15 processes have profiles defined.
3 processes are in enforce mode :
/sbin/syslog-ng (3084)
/usr/sbin/nscd (3762)
/sbin/klogd (3087)
12 processes are in complain mode.
/usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3410)
/usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3408)
/usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3030)
/usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3407)
/usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3032)
/usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3031)
/usr/sbin/httpd2-prefork (3028)
/usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (11334)
/usr/sbin/httpd2-prefork (3027)
/usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3029)
/usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3409)
/usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3405)
0 processes are unconfined but have a profile defined.

Is that correct ? Is it possible now to have the vhost running for a certain time in complain mode and then
use logprof to create a profile just for this one vhost ? Is it possible to confine just one vhost, not the other ones ?
Can i ran a subprofile for a vhost in enforce mode, but the profile for httpd2 still in complain mode (to not disturb the other vhosts) ?

Or is the idea to tricky and i should use a vm with a dedicated apache just for this vhost and confine just this apache instance ?
It’s important that the other vhosts are not confined/disturbed, because they are running important web applications for ourselves.




some more questions:

I just tried aa-logprof to generate a profile. In the newly created profile there is e.g. an entry:
/usr/bin/perl ix,

aa-logprof did not asked me for perl, it seems it added it automatically. Does someone know why ? Is this a bug ?
I think it’s an interactive tool, i wouldn’t expect any automatism.

A subprofile does not inherit anything from his “parent” profile. That means at first the hat isn’t allowed to do anything.
Does it make sense to copy the rules from usr.sbin.httpd2 to the hat so that the hat can extend basic functionality ?
Does it make sense to tighten the parent and be more generously with the hat or the other way round ?