This article is a continuation of Is It Safe? - Part 1. We pick up where we left off in the YaST control center's Novell AppArmor page.
Probably, the first thing you'll want to consider doing in a new openSUSE install is fortifying your internet browser application by profiling it with AppArmor. Making use of the AppArmor 'Add Profile Wizard' makes creating a profile relatively easy.
The actual path to the location of Firefox on your system may be different from that shown above (click picture to enlarge). A version of Firefox typically is found on openSUSE 10.3 in /usr/lib/firefox (with a symbolic link from /usr/lib/firefox/firefox.sh to /usr/bin/firefox), or, if you have manually downloaded from Mozilla, you may have installed into a different subdirectory, i.e., below your home directory, such as /$HOME/$USER/firefox/. If all else fails, you can open KMenu->Find Files/Folders to determine the exact location. Alternatively, open a Konsole window and type:
$which firefox <enter>
or
$sudo which firefox <enter>
(give root password)
to return to your screen the exact location.
Once you've selected the application, press the create button.
Probably, the first thing you'll want to consider doing in a new openSUSE install is fortifying your internet browser application by profiling it with AppArmor. Making use of the AppArmor 'Add Profile Wizard' makes creating a profile relatively easy.
The actual path to the location of Firefox on your system may be different from that shown above (click picture to enlarge). A version of Firefox typically is found on openSUSE 10.3 in /usr/lib/firefox (with a symbolic link from /usr/lib/firefox/firefox.sh to /usr/bin/firefox), or, if you have manually downloaded from Mozilla, you may have installed into a different subdirectory, i.e., below your home directory, such as /$HOME/$USER/firefox/. If all else fails, you can open KMenu->Find Files/Folders to determine the exact location. Alternatively, open a Konsole window and type:
$which firefox <enter>
or
$sudo which firefox <enter>
(give root password)
to return to your screen the exact location.
Once you've selected the application, press the create button.
Press 'Enable Repository' will determine if there is an existing profile you can use, either local or in an external repository. 'Disable', will ignore the repositories. 'Ask Me Later' will allow you to put off making the decision until later. I have chosen 'Enable Repository' and a new dialog window is displayed.
It would be advisable for you to review any other repository profile to the fullest extent possible before accepting an external source for ongoing use. It just so happens that openSUSE 10.3 comes with its own local repository (/etc/apparmor/profiles/extras/) which includes a profile for Firefox that you can avail yourself to as I am doing here.
Your choices are to 'View Profile', 'Use Profile', or 'Create New Profile'. At the bottom of my list of repositories shown above is 'Inactive local profile for /usr/lib/firefox/firefox.sh'. I am selecting that repository profile to use and pressing 'Use Profile'.
You are now ready to start and exercise your application so that AppArmor can 'learn' how it is used. If you are creating a new profile and not using the local repository profile, I would suggest you minimize this screen, but not close it, start Firefox and use it as you normally would and run it for a while, perhaps a half hour to an hour of steady use should be sufficient. When you are done, close Firefox and maximize your AppArmor Profile Wizard window. If you are using the existing profile, then running Firefox isn't necessary. At this point, press 'Scan system log for AppArmor events'.
The Wizard will present this dialog window after reviewing events.
I opted not to upload my profile to the repository by pressing 'No'. The Wizard returns you to the previous window, at which point you are done. Press 'Finish'.
Congratulations (insert applause sound here). That wasn't bad, was it?
The curious can see what the profile contains by choosing 'Edit Profile' and click on /usr/lib/firefox/firefox.sh. Pressing 'Abort' when done returns to the YaST control center menu.
Not Quite Done
To the extent that /usr/lib/firefox/firefox/sh is an executable 'shell script' that calls and invokes /usr/lib/firefox/firefox-bin, a binary executable, we now need to follow the above steps we took for firefox.sh except selecting this time firefox-bin. When done, you will have two profiles that define the events and permissions of the Firefox shell script, binary executable and shared libraries that are called by firefox-bin.
If at any point you find that the profile is doing something unexpected that prevents you from doing something, or you are just unsure, keep in mind that you can use 'Delete Profile' to remove the profile and start over. 'Edit Profile' is another option when you feel comfortable with what you are doing.
But you shouldn't have a problem if you've taken advantage of the local stock profiles for Firefox. There is a way to troubleshoot your profiles but I'll leave that as a possible future topic.
There is a complete set of documentation for AppArmor that you can either view on-line or download in PDF format found here.
Linux users who aren't using openSUSE can use AppArmor as it is open sourced by Novell. You won't have the YaST GUI and Wizards, but all of the accompanying command line utilities are present upon installation that can be accessed from a terminal window.
That's it on AppArmor for now. In part 3 of "Is it Safe" I'll be taking a tour of openSUSE's Firewall, again found in YaST on the 'Security and Users' page.
Until then, Be Safe!
--dietrich
It would be advisable for you to review any other repository profile to the fullest extent possible before accepting an external source for ongoing use. It just so happens that openSUSE 10.3 comes with its own local repository (/etc/apparmor/profiles/extras/) which includes a profile for Firefox that you can avail yourself to as I am doing here.
Your choices are to 'View Profile', 'Use Profile', or 'Create New Profile'. At the bottom of my list of repositories shown above is 'Inactive local profile for /usr/lib/firefox/firefox.sh'. I am selecting that repository profile to use and pressing 'Use Profile'.
You are now ready to start and exercise your application so that AppArmor can 'learn' how it is used. If you are creating a new profile and not using the local repository profile, I would suggest you minimize this screen, but not close it, start Firefox and use it as you normally would and run it for a while, perhaps a half hour to an hour of steady use should be sufficient. When you are done, close Firefox and maximize your AppArmor Profile Wizard window. If you are using the existing profile, then running Firefox isn't necessary. At this point, press 'Scan system log for AppArmor events'.
The Wizard will present this dialog window after reviewing events.
I opted not to upload my profile to the repository by pressing 'No'. The Wizard returns you to the previous window, at which point you are done. Press 'Finish'.
Congratulations (insert applause sound here). That wasn't bad, was it?
The curious can see what the profile contains by choosing 'Edit Profile' and click on /usr/lib/firefox/firefox.sh. Pressing 'Abort' when done returns to the YaST control center menu.
Not Quite Done
To the extent that /usr/lib/firefox/firefox/sh is an executable 'shell script' that calls and invokes /usr/lib/firefox/firefox-bin, a binary executable, we now need to follow the above steps we took for firefox.sh except selecting this time firefox-bin. When done, you will have two profiles that define the events and permissions of the Firefox shell script, binary executable and shared libraries that are called by firefox-bin.
If at any point you find that the profile is doing something unexpected that prevents you from doing something, or you are just unsure, keep in mind that you can use 'Delete Profile' to remove the profile and start over. 'Edit Profile' is another option when you feel comfortable with what you are doing.
But you shouldn't have a problem if you've taken advantage of the local stock profiles for Firefox. There is a way to troubleshoot your profiles but I'll leave that as a possible future topic.
There is a complete set of documentation for AppArmor that you can either view on-line or download in PDF format found here.
Linux users who aren't using openSUSE can use AppArmor as it is open sourced by Novell. You won't have the YaST GUI and Wizards, but all of the accompanying command line utilities are present upon installation that can be accessed from a terminal window.
That's it on AppArmor for now. In part 3 of "Is it Safe" I'll be taking a tour of openSUSE's Firewall, again found in YaST on the 'Security and Users' page.
Until then, Be Safe!
--dietrich
Blog feed
Comments Feed
Leave a comment