debops-contrib.apparmor default variables¶
Packages and installation¶
-
apparmor__base_packages
¶
List of base packages to install.
apparmor__base_packages:
- 'apparmor'
- 'apparmor-utils'
- 'apparmor-profiles'
- '{{ []
if (ansible_distribution == "Ubuntu" and not (ansible_distribution_version|version_compare("15.10", ">=")))
else [ "apparmor-profiles-extra" ] }}'
-
apparmor__packages
¶
List of additional packages to install with AppArmor.
Example:
apparmor__packages:
- 'apparmor-notify'
apparmor__packages: []
-
apparmor__enabled
¶
Should AppArmor be enabled?
apparmor__enabled: True
-
apparmor__kernel_options
¶
Default kernel options needed to enable AppArmor. You probably don’t need to change this.
apparmor__kernel_options:
- 'apparmor=1'
- 'security=apparmor'
-
apparmor__manage_grub
¶
How should role write the required kernel options into the Grub configuration. The default is delegate this to the debops.grub role. If set to False, this role will do that internally without debops.grub. Note that this role is not as flexible in configuring Grub as debops.grub is.
apparmor__manage_grub: False
-
apparmor__additional_kernel_parameters
¶
Legacy: Only considered when apparmor__manage_grub == True.
apparmor__additional_kernel_parameters: ''
-
apparmor__mail_to
¶
List of recipients to which a mail will be send in case a reboot is required.
apparmor__mail_to: [ 'root@{{ ansible_domain }}' ]
-
apparmor__mail_subject
¶
Subject of the Email to be send in case a reboot is required to boot into a updated kernel version.
apparmor__mail_subject: 'Reboot required by AppArmor on {{ ansible_fqdn }}'
-
apparmor__mail_body
¶
Body of the Email to be send in case a reboot is required to boot into a updated kernel version.
apparmor__mail_body: |
Ansible has enabled AppArmor thought the boot loader configuration for the
Linux kernel parameters on host {{ ansible_fqdn }}.
You should check the status of the host and reboot it when convenient.
AppArmor profiles¶
-
apparmor__enforce_all_profiles
¶
Put all profiles into enforcement mode. Use this only if you know what you are doing.
apparmor__enforce_all_profiles: False
-
apparmor__global_profile_status
¶
Global configuration of the status of individual profiles. More specific matches overwrite more generic matches (example host overrules global).
Choices are:
enforce
- Result in enforcement of the policy defined in the profile as well as logging policy violation attempts.
complain
- This will not enforce the policy. Instead, it will log policy violations.
disable
- In this mode, policy violations are neither prevented nor logged.
Example:
apparmor__global_profile_status:
'usr.sbin.nmbd': 'complain'
apparmor__global_profile_status: {}
-
apparmor__host_group_profile_status
¶
Host group configuration of the status of individual profiles.
apparmor__host_group_profile_status: {}
-
apparmor__host_profile_status
¶
Host configuration of the status of individual profiles.
apparmor__host_profile_status: {}
-
apparmor__local_config_global
¶
Global additions or overrides of system profiles.
Those changes will be configured in /etc/apparmor.d/local/
.
Check /etc/apparmor.d/local/README
for details.
All three dictionaries are merged into one profile configuration.
comment
- String, optional, default "Uncommented rule group". Comment for the given rules.
rules
- List of strings, required. AppArmor rules. Note that the rules are not comma terminated, this is done by the role template.
by_role
- Strings, optional, default "". Name of a role which manages the rules. Useful for using this role as role dependency.
delete
- Boolean, optional, default
False
. Delete the given rule(s).
Example:
apparmor__local_config_global:
'usr.sbin.dnsmasq':
- comment: 'Allow dnsmasq to read upstream DNS servers'
rules:
- '/etc/resolvconf/upstream.conf r'
- '/etc/hosts.dnsmasq r'
by_role: 'debops.dnsmasq'
- comment: 'Allow dnsmasq to read /usr/share/dnsmasq-base/trust-anchors.conf'
rules:
- '/usr/share/dnsmasq-base/* r'
by_role: 'debops.dnsmasq'
'usr.bin.pidgin':
- comment: 'Allow local Pidgin plugins'
rules:
- '@{HOME}/.purple/plugins/** rm'
apparmor__local_config_global: {}
-
apparmor__local_group_config
¶
Host group additions or overrides of system profiles.
apparmor__local_group_config: {}
-
apparmor__local_host_config
¶
Host additions or overrides of system profiles.
apparmor__local_host_config: {}
-
apparmor__local_dependent_config
¶
System profiles managed by other roles using this role as dependency.
apparmor__local_dependent_config: {}
-
apparmor__global_tunables
¶
Allows you to define or append variables which will be included by most profiles via the tunable concept of AppArmor. See also: https://wiki.ubuntu.com/DebuggingApparmor#Adjusting_Tunables
Examples:
1 2 | apparmor__global_tunables: |
@{HOMEDIRS}+=/exports/home/
|
apparmor__global_tunables: ''
-
apparmor__group_tunables
¶
Host group definitions or additions to variables.
apparmor__group_tunables: ''
-
apparmor__host_tunables
¶
Host definitions or additions to variables.
apparmor__host_tunables: ''
-
apparmor__tunables_dependent
¶
Variable definitions managed by roles using this role as dependency.
apparmor__tunables_dependent: ''