This article will describe modifying example sbin.dhclient profile and enforce it to AppArmor.
Table of Contents
1 Install AppArmor
Install AppArmor with this article.
2 Modify and apply sbin.dhclient profile
Use /usr/share/doc/apparmor-profiles/extras/sbin.dhclient as example.
$ sudo cp /usr/share/doc/apparmor-profiles/extras/sbin.dhclient \
/etc/apparmor.d/
Modify /etc/apparmor.d/sbin.dhclient with the following patch. This patch is created by DENIED message.
But This cannot suppress DENIED like name="run/systemd/journal/dev-log". AppArmor treats run/systemd/journal/dev-log as syntax error.
$ cd /etc/apparmor.d/
$ cat <<EOF | sudo patch -p1
--- a/sbin.dhclient 2017-03-16 10:11:02.000000000 +0900
+++ b/sbin.dhclient 2017-06-14 23:41:28.360129670 +0900
@@ -74,7 +74,9 @@
/etc/sysconfig/network/scripts/functions r,
/sbin/ip mrix,
/usr/lib/NetworkManager/nm-dhcp-client.action mrix,
+ /usr/lib/NetworkManager/nm-dhcp-helper ix,
/var/lib/dhcp/* rw,
/{,var/}run/nm-dhclient-*.conf r,
-
+ /{,var/}run/NetworkManager/private-dhcp rw,
+ /{,var/}run/systemd/journal/dev-log w,
}
EOF
Enforce sbin.dhclient profile.
$ sudo aa-enforce /etc/apparmor.d/sbin.dhclient