Hello, Am Mittwoch, 18. Februar 2015 schrieb azurIt: > i'm trying to create some kind of RBAC system for web applications > using apparmor + mod_apparmor (Apache web server). mod_apparmor is > able to assing different hats for different URIs, which is kinda > cool. The problem is that i want to use the same hats for different > users/domains who/which has files in different locations (i don't > want to create one hat per user/domain because there are thousands of > them). Is there any way how to create variable paths? For example: > @DOMAIN_DOCUMENT_ROOT/index.php r, > @DOMAIN_DOCUMENT_ROOT/tmp/* rw, > ... > > The 'DOMAIN_DOCUMENT_ROOT' should be some kind of variable passed via > AAHatName/AADefaultHatName mod_apparmor directives or set as > environmental variables inside Apache config file.
Unfortunately no such variable that could be passed in via apache config exists (and it's probably not too easy to implement because the profiles live in the kernel, and Apache/mod_apparmor is in userspace). > Or is it possible to set relative paths to current working directory? No (and it would be a bad idea because a simple chdir call would change permissions ;-) I'm handling this with a small script that generates profile sniplets for each vhost from a template (basically using sed to replace @@DOCROOT@@ with the document root). Another part of the script adds a hat for each vhost to the apache profile that #include's the autogenerated sniplet. If you are interested in my script, just speak up. It isn't too nice, but works ;-) Regards, Christian Boltz -- > Bei Mutt oder Gnus landet ohnehin jeder früher oder später, > Du kannst also abkürzen gleich damit anfangen. ;) Nein, diese Aussage ist schlicht falsch. Denn in einem kleinen Dorf im Nordwesten Galliens... [> Andreas Kneib und Thomas Hertweck in suse-linux] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
