To create a security profile for an application, we need to know what the application is doing. A recommended approach is to analyze the logs at the run time and compose the profile with aa-genprof.
Check out the loaded profiles:
Assign it the executable permission:
Have two terminals open for testub VM: one can be the virsh console, the other can be an ssh session.
In one terminal, start creating a profile with aa-genprof command:
In the other terminal, start running mem2.sh as user hostadm:
When prompted for the output directory, put /tmp.
In the first terminal, accept all the rules prompted in aa-genprof.
Place the profile in the 'enforce' mode:
See the created profile:
Verify that the profile for mem2.sh is loaded in AppArmor:
You should see the list of the profiles in enforce mode, including /home/hostadm/mem2.sh
run ./mem2.sh as root and put /home/hostadm for the output directory.
The script should be denied writing the output into /home/hostadm .
Accept the output into /home/hostadm/mem.out.
Try running mem2.sh again, and give /home/hostadm when propmted. Now the script should be able to write into /home/hostadm.
Check out the updated profile: