在 apparmor 配置文件下加载 Django 应用程序的设置
Loading Django application's setting under an apparmor profile
所以我们有一个需要 apparmor 配置文件(客户端授权)的 django 应用程序。它 运行 在位于 /opt/fact-virtual-environment
的 Python 虚拟环境中。应用程序本身安装到 /usr/share/fact
以下是我目前的个人资料(主要使用 aa-genprof 工具构建):
# Last Modified: Tue Jan 20 09:25:09 2015
#include <tunables/global>
/usr/bin/fact flags=(audit) {
#include <abstractions/apache2-common>
#include <abstractions/base>
#include <abstractions/bash>
capability setgid,
capability sys_resource,
/usr/local/lib/python2.7/dist-packages/**/ rm,
/usr/local/lib/python2.7/dist-packages/** rm,
/usr/local/lib/python2.7/site-packages/**/ rm,
/usr/local/lib/python2.7/site-packages/** rm,
/etc/apparmor.d/** r,
#/usr/lib/python2.7/**[^/] r,
/usr/bin/sudo Ux,
#/usr/bin/strace ux,
/bin/bash rix,
/bin/dash rix,
/bin/uname rix,
/dev/tty rw,
/etc/default/locale r,
#/etc/nsswitch.conf r,
#/etc/group r,
#/etc/passwd r,
/etc/environment r,
/etc/login.defs r,
/etc/lsb-release r,
/etc/fact/fact.ini r,
/etc/python2.7/sitecustomize.py r,
/etc/security/pam_env.conf r,
/lib{,32,64}/** mr,
/opt/fact-virtual-environment/**/ mr,
/opt/fact-virtual-environment/lib/python2.7/**/ mr,
/opt/fact-virtual-environment/lib/python2.7/** mr,
/opt/fact-virtual-environment/bin/python rix,
/run/utmp rk,
/sbin/ldconfig rix,
/sbin/ldconfig.real rix,
/usr/bin/fact rix,
/usr/lib{,32,64}/** mr,
/usr/share/fact/**/ r,
/usr/share/fact/** r,
/usr/share/pyshared/** r,
/usr/share/pyshared/**/ r,
}
.../usr/bin/fact
命令是一个简单的包装器:
#!/bin/bash
## This script is for running the 'fact' command on staging/prod, it sudos to
## the 'fact' user before executing /opt/fact/bin/fact
## It is installed as '/usr/bin/fact'
PYTHONPATH=/usr/share/fact
PYTHON_BIN=/opt/fact-virtual-environment/bin/python
DJANGO_SETTINGS_MODULE=fact.settings.staging
if [ "$USER" != "fact" ];
then
sudo -u fact [=11=] $*;
else
PYTHONPATH=${PYTHONPATH} DJANGO_SETTINGS_MODULE=${DJANGO_SETTINGS_MODULE} ${PYTHON_BIN} -m fact.managecommand $*;
fi
我已经启用了很多我知道我不需要的读取权限,比如调试尝试中的整个 /usr/local/lib/*
集。整件事让我印象深刻的是,当我 运行 service apparmor reload
(或重新启动)时,我的配置文件似乎没有重新加载。如果我重新启动服务与 aa-complain usr.bin.fact
后跟 aa-enforce usr.bin.fact
.
,我似乎会得到不同的结果
现在当我 运行 我的命令并检查系统日志时,我看到以下内容:
Feb 11 15:08:48 spiffy kernel: [1228245.774660] type=1400 audit(1423620528.359:14142): apparmor="DENIED" operation="open" parent=12884 profile="/usr/bin/fact" name="/usr/local/lib/python2.7/site-packages/" pid=12885 comm="python" requested_mask="r" denied_mask="r" fsuid=111 ouid=0
Feb 11 15:08:48 spiffy kernel: [1228245.774855] type=1400 audit(1423620528.359:14143): apparmor="DENIED" operation="open" parent=12884 profile="/usr/bin/fact" name="/usr/local/lib/python2.7/dist-packages/" pid=12885 comm="python" requested_mask="r" denied_mask="r" fsuid=111 ouid=0
Feb 11 15:08:48 spiffy kernel: [1228245.775829] type=1400 audit(1423620528.359:14144): apparmor="DENIED" operation="open" parent=12884 profile="/usr/bin/fact" name="/usr/local/lib/python2.7/dist-packages/" pid=12885 comm="python" requested_mask="r" denied_mask="r" fsuid=111 ouid=0
..和我的 python 申请 barfs:
$ fact
Traceback (most recent call last):
File "/usr/lib/python2.7/runpy.py", line 162, in _run_module_as_main
"__main__", fname, loader, pkg_name)
File "/usr/lib/python2.7/runpy.py", line 72, in _run_code
exec code in run_globals
File "/usr/share/fact/fact/managecommand.py", line 6, in <module>
execute_from_command_line(sys.argv)
File "/opt/fact-virtual-environment/local/lib/python2.7/site-packages/django/core/management/__init__.py", line 385, in execute_from_command_line
utility.execute()
File "/opt/fact-virtual-environment/local/lib/python2.7/site-packages/django/core/management/__init__.py", line 345, in execute
settings.INSTALLED_APPS
File "/opt/fact-virtual-environment/local/lib/python2.7/site-packages/django/conf/__init__.py", line 46, in __getattr__
self._setup(name)
File "/opt/fact-virtual-environment/local/lib/python2.7/site-packages/django/conf/__init__.py", line 42, in _setup
self._wrapped = Settings(settings_module)
File "/opt/fact-virtual-environment/local/lib/python2.7/site-packages/django/conf/__init__.py", line 98, in __init__
% (self.SETTINGS_MODULE, e)
ImportError: Could not import settings 'fact.settings.staging' (Is it on sys.path? Is there an import error in the settings file?): cannot import name current_app
它要查找的设置文件位于 /usr/share/fact/fact/settings/staging.py
我完全不明白为什么我无法根据其 apparmor 配置文件将此应用程序添加到 运行。配置文件中的设置应该允许它。怎么回事?
所有拒绝都在寻找这个特定目录:/usr/local/lib/python2.7/dist-packages/
您的个人资料包含此目录的一些子项:
/usr/local/lib/python2.7/dist-packages/**/ rm,
/usr/local/lib/python2.7/dist-packages/** rm,
/usr/local/lib/python2.7/site-packages/**/ rm,
/usr/local/lib/python2.7/site-packages/** rm,
但它不包括这个特定的目录。所以将此添加到您的个人资料,重新加载个人资料,然后重试:
/usr/local/lib/python2.7/dist-packages/ r,
AppArmor 使用尾随 /
来确定管理员是打算允许获取目录列表还是允许读取文件。
谢谢
您的个人资料缺少读取目录的权限
/usr/local/lib/python2.7/站点包/
您需要添加
/usr/local/lib/python2.7/site-packages/r,
您当前配置文件的权限允许访问 /usr/local/lib/python2.7/site-packages/ 下的所有内容,但不能实际访问目录本身
所以我们有一个需要 apparmor 配置文件(客户端授权)的 django 应用程序。它 运行 在位于 /opt/fact-virtual-environment
的 Python 虚拟环境中。应用程序本身安装到 /usr/share/fact
以下是我目前的个人资料(主要使用 aa-genprof 工具构建):
# Last Modified: Tue Jan 20 09:25:09 2015
#include <tunables/global>
/usr/bin/fact flags=(audit) {
#include <abstractions/apache2-common>
#include <abstractions/base>
#include <abstractions/bash>
capability setgid,
capability sys_resource,
/usr/local/lib/python2.7/dist-packages/**/ rm,
/usr/local/lib/python2.7/dist-packages/** rm,
/usr/local/lib/python2.7/site-packages/**/ rm,
/usr/local/lib/python2.7/site-packages/** rm,
/etc/apparmor.d/** r,
#/usr/lib/python2.7/**[^/] r,
/usr/bin/sudo Ux,
#/usr/bin/strace ux,
/bin/bash rix,
/bin/dash rix,
/bin/uname rix,
/dev/tty rw,
/etc/default/locale r,
#/etc/nsswitch.conf r,
#/etc/group r,
#/etc/passwd r,
/etc/environment r,
/etc/login.defs r,
/etc/lsb-release r,
/etc/fact/fact.ini r,
/etc/python2.7/sitecustomize.py r,
/etc/security/pam_env.conf r,
/lib{,32,64}/** mr,
/opt/fact-virtual-environment/**/ mr,
/opt/fact-virtual-environment/lib/python2.7/**/ mr,
/opt/fact-virtual-environment/lib/python2.7/** mr,
/opt/fact-virtual-environment/bin/python rix,
/run/utmp rk,
/sbin/ldconfig rix,
/sbin/ldconfig.real rix,
/usr/bin/fact rix,
/usr/lib{,32,64}/** mr,
/usr/share/fact/**/ r,
/usr/share/fact/** r,
/usr/share/pyshared/** r,
/usr/share/pyshared/**/ r,
}
.../usr/bin/fact
命令是一个简单的包装器:
#!/bin/bash
## This script is for running the 'fact' command on staging/prod, it sudos to
## the 'fact' user before executing /opt/fact/bin/fact
## It is installed as '/usr/bin/fact'
PYTHONPATH=/usr/share/fact
PYTHON_BIN=/opt/fact-virtual-environment/bin/python
DJANGO_SETTINGS_MODULE=fact.settings.staging
if [ "$USER" != "fact" ];
then
sudo -u fact [=11=] $*;
else
PYTHONPATH=${PYTHONPATH} DJANGO_SETTINGS_MODULE=${DJANGO_SETTINGS_MODULE} ${PYTHON_BIN} -m fact.managecommand $*;
fi
我已经启用了很多我知道我不需要的读取权限,比如调试尝试中的整个 /usr/local/lib/*
集。整件事让我印象深刻的是,当我 运行 service apparmor reload
(或重新启动)时,我的配置文件似乎没有重新加载。如果我重新启动服务与 aa-complain usr.bin.fact
后跟 aa-enforce usr.bin.fact
.
现在当我 运行 我的命令并检查系统日志时,我看到以下内容:
Feb 11 15:08:48 spiffy kernel: [1228245.774660] type=1400 audit(1423620528.359:14142): apparmor="DENIED" operation="open" parent=12884 profile="/usr/bin/fact" name="/usr/local/lib/python2.7/site-packages/" pid=12885 comm="python" requested_mask="r" denied_mask="r" fsuid=111 ouid=0
Feb 11 15:08:48 spiffy kernel: [1228245.774855] type=1400 audit(1423620528.359:14143): apparmor="DENIED" operation="open" parent=12884 profile="/usr/bin/fact" name="/usr/local/lib/python2.7/dist-packages/" pid=12885 comm="python" requested_mask="r" denied_mask="r" fsuid=111 ouid=0
Feb 11 15:08:48 spiffy kernel: [1228245.775829] type=1400 audit(1423620528.359:14144): apparmor="DENIED" operation="open" parent=12884 profile="/usr/bin/fact" name="/usr/local/lib/python2.7/dist-packages/" pid=12885 comm="python" requested_mask="r" denied_mask="r" fsuid=111 ouid=0
..和我的 python 申请 barfs:
$ fact
Traceback (most recent call last):
File "/usr/lib/python2.7/runpy.py", line 162, in _run_module_as_main
"__main__", fname, loader, pkg_name)
File "/usr/lib/python2.7/runpy.py", line 72, in _run_code
exec code in run_globals
File "/usr/share/fact/fact/managecommand.py", line 6, in <module>
execute_from_command_line(sys.argv)
File "/opt/fact-virtual-environment/local/lib/python2.7/site-packages/django/core/management/__init__.py", line 385, in execute_from_command_line
utility.execute()
File "/opt/fact-virtual-environment/local/lib/python2.7/site-packages/django/core/management/__init__.py", line 345, in execute
settings.INSTALLED_APPS
File "/opt/fact-virtual-environment/local/lib/python2.7/site-packages/django/conf/__init__.py", line 46, in __getattr__
self._setup(name)
File "/opt/fact-virtual-environment/local/lib/python2.7/site-packages/django/conf/__init__.py", line 42, in _setup
self._wrapped = Settings(settings_module)
File "/opt/fact-virtual-environment/local/lib/python2.7/site-packages/django/conf/__init__.py", line 98, in __init__
% (self.SETTINGS_MODULE, e)
ImportError: Could not import settings 'fact.settings.staging' (Is it on sys.path? Is there an import error in the settings file?): cannot import name current_app
它要查找的设置文件位于 /usr/share/fact/fact/settings/staging.py
我完全不明白为什么我无法根据其 apparmor 配置文件将此应用程序添加到 运行。配置文件中的设置应该允许它。怎么回事?
所有拒绝都在寻找这个特定目录:/usr/local/lib/python2.7/dist-packages/
您的个人资料包含此目录的一些子项:
/usr/local/lib/python2.7/dist-packages/**/ rm,
/usr/local/lib/python2.7/dist-packages/** rm,
/usr/local/lib/python2.7/site-packages/**/ rm,
/usr/local/lib/python2.7/site-packages/** rm,
但它不包括这个特定的目录。所以将此添加到您的个人资料,重新加载个人资料,然后重试:
/usr/local/lib/python2.7/dist-packages/ r,
AppArmor 使用尾随 /
来确定管理员是打算允许获取目录列表还是允许读取文件。
谢谢
您的个人资料缺少读取目录的权限 /usr/local/lib/python2.7/站点包/
您需要添加 /usr/local/lib/python2.7/site-packages/r,
您当前配置文件的权限允许访问 /usr/local/lib/python2.7/site-packages/ 下的所有内容,但不能实际访问目录本身