{"id":18710,"date":"2022-04-26T09:00:52","date_gmt":"2022-04-26T07:00:52","guid":{"rendered":"https:\/\/www.credativ.de\/blog\/credativ-inside\/manually-create-an-apparmor-profile-for-nginx\/"},"modified":"2022-04-26T09:00:52","modified_gmt":"2022-04-26T07:00:52","slug":"manually-create-an-apparmor-profile-for-nginx","status":"publish","type":"post","link":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/manually-create-an-apparmor-profile-for-nginx\/","title":{"rendered":"Manually Create an AppArmor Profile for Nginx"},"content":{"rendered":"

As described in the previous post, access control on Unix-like systems is traditionally based on the principle of Discretionary Access Control<\/em><\/a> (DAC). Applications and services run under a specific user and group ID and are granted the corresponding access rights to files and folders. <\/p>\n

AppArmor<\/a> implements a Mandatory Access Control<\/em><\/a> for Linux, based on the Linux Security Modules<\/em>: an access control strategy that allows specific rights to be granted or denied to individual programs. This security layer exists in addition to the traditional DAC<\/em>. <\/p>\n

Since Debian 10 buster<\/em>, AppArmor has been included and activated in the kernel by default. The packages apparmor<\/a> and apparmor-utils<\/a> provide tools for creating and maintaining AppArmor profiles. <\/p>\n

Included Profiles<\/h1>\n

The two packages mentioned do not come with ready-made profiles, but only the Abstractions<\/em> mentioned in the previous article: collections of rules that can be included in multiple profiles.<\/p>\n

Some programs include their profiles in their own packages, while others contain profiles if corresponding modules are installed later \u2013 for example, mod_apparmor<\/code> for the Apache web server.<\/p>\n

The packages apparmor-profiles<\/a> and apparmor-profiles-extra<\/a> contain AppArmor profiles that can be found after installation in the directories \/etc\/apparmor.d<\/code> (for tested profiles) and \/usr\/share\/apparmor\/extra-profiles<\/code> (for experimental profiles), respectively. These profiles can be used as a basis for custom profiles. <\/p>\n

Create Profiles Yourself<\/h1>\n

While at least experimental profiles are available for most common server services, such as the Apache<\/em> web server, nothing can be found for the nginx<\/a> web server. However, this is not a major issue, as a new AppArmor profile can be quickly created with the help of apparmor-utils<\/a>. <\/p>\n

Nginx Example<\/h2>\n

The following assumes a simple base installation of nginx<\/em> that only serves HTML files under \/var\/www\/html<\/code> via HTTP<\/em>. The focus here is primarily on the general approach, so repetitive steps will be skipped. <\/p>\n

The described approach can be applied to any other program. To find out about the paths and files used by a program, dpkg<\/code> can be used with the -L<\/code> option, which lists all paths of a package. It should be noted that several packages may need to be queried for this; for nginx<\/a>, the package of the same name provides hardly any useful information; this is only obtained with the nginx-common<\/a> package: <\/p>\n

# dpkg -L nginx-common<\/pre>\n
For the following steps, it is recommended to have two terminals open with root privileges.<\/p>\n
Before the web server process can be observed for profile creation, all its running processes must be terminated:<\/p>\n
# systemctl stop nginx<\/pre>\n
Once all processes are stopped, aa-genprof<\/code> is called in the second terminal with the path of the web server’s program file:<\/p>\n
# aa-genprof \/usr\/sbin\/nginx<\/pre>\n
Some information about the current call of aa-genprof<\/code> appears, including the hint Profiling: \/usr\/sbin\/nginx<\/code>, followed by  Please start the application to be profiled in another window and exercise its functionality now.<\/code><\/p>\n
To comply with this, the web server process is restarted in the first terminal window:<\/p>\n
# systemctl start nginx<\/pre>\n
Before calling the S<\/code> option in the second window to search the log files for AppArmor events, the web server should run for a few moments, and it should also be accessed from a browser so that as many typical activities of the process as possible are recorded.<\/p>\n
Once this is done, the log files can be searched for events by pressing the S<\/code> key:<\/p>\n
[(S)can system log for AppArmor events] \/ (F)inish\nReading log entries from \/var\/log\/syslog.\nUpdating AppArmor profiles in \/etc\/apparmor.d.\nComplain-mode changes:<\/pre>\n
If an event is found, the affected profile and the action recorded by AppArmor are displayed:<\/p>\n
Profile: \/usr\/sbin\/nginx\nCapability: dac_override\nSeverity: 9\n\n [1 - capability dac_override,]\n(A)llow \/ [(D)eny] \/ (I)gnore \/ Audi(t) \/ Abo(r)t \/ (F)inish<\/pre>\n
Here, the program \/usr\/sbin\/nginx<\/code> requests the Capability<\/em><\/a> dac_override<\/code>, which was already described in the last article. It is indispensable for the operation of the web server and is allowed by pressing A<\/code>. Alternatively, the request can be denied with D<\/code> or ignored with I<\/code>. With the Audit<\/em> option, this request would continue to be recorded in the log file during operation.   <\/p>\n
Profile: \/usr\/sbin\/nginx\nCapability: net_bind_service\nSeverity: 8\n\n [1 - #include ]\n2 - capability net_bind_service,<\/abstractions><\/abstractions><\/pre>\n
The next event shows that the process requests the Capability<\/em> net_bind_service<\/code>, which is needed to open a port with a port number less than 1024.<\/p>\n
Unlike the first query, there are two ways to allow access in the future: the first option involves integrating Abstractions<\/em> for NIS<\/em>, the Network Information Service<\/em>. In this Abstraction<\/em>, which can be found under \/etc\/apparmor.d\/abstractions\/nis<\/code>, in addition to a rule that allows access to rule sets for NIS<\/em>, the Capability<\/em> net_bind_service<\/code> is also listed. <\/p>\n
However, since the HTTP server does not include NIS<\/em> functionality, it is sufficient to only allow the Capability<\/em>. By pressing 2<\/code> and A<\/code>, this is adopted into the profile. <\/p>\n
The same applies to the Abstractions<\/em> proposed in the following steps for dovecot<\/code> and postfix<\/code>: here it is sufficient to only allow the Capabilities<\/em> setgid<\/code> and setuid<\/code>.<\/p>\n
Sometimes the designation of the Abstractions<\/em> can be somewhat misleading: for example, the Abstraction<\/em> nameservice<\/code> contains, in addition to rules that allow read access to common nameservice files like passwd<\/code> or hosts<\/code>, also rules that permit network access. It is therefore always worthwhile to take a look at the respective file under \/etc\/apparmor.d\/abstractions\/<\/code> to see if including the Abstraction<\/em> is beneficial. <\/p>\n
After the web server process has received all necessary Capabilities<\/em>, it apparently tries to open its error log file \/var\/log\/nginx\/log<\/code> with write permissions. It is noticeable here that, in addition to the usual Allow<\/em>, Deny<\/em>, and Ignore<\/em>, the options Glob<\/em> and Glob with Extension<\/em> have been added. <\/p>\n
Profile: \/usr\/sbin\/nginx\nPath: \/var\/log\/nginx\/error.log\nNew Mode: w\nSeverity: 8\n\n [1 - \/var\/log\/nginx\/error.log w,]\n(A)llow \/ [(D)eny] \/ (I)gnore \/ (G)lob \/ Glob with (E)xtension \/ (N)ew \/ Audi(t) \/ Abo(r)t \/ (F)inish<\/pre>\n
Entering E<\/code> adds another suggestion to the list:<\/p>\n
 1 - \/var\/log\/nginx\/error.log w, \n [2 - \/var\/log\/nginx\/*.log w,]<\/pre>\n
The filename error.log<\/code> has been replaced by a wildcard and the extension .log<\/code>. This rule would grant write permissions to the file \/var\/log\/nginx\/error.log<\/code> as well as, for example, to the file \/var\/log\/nginx\/access.log<\/code> \u2013 these are (at least) two rules combined into a single one. <\/p>\n
These rules would already be sufficient for this example, but it might also be necessary to allow files that do not have the .log<\/code> file extension to be written in the \/var\/log<\/code> directory. By entering G<\/code>, another suggestion is added to the list: <\/p>\n
  1 - \/var\/log\/nginx\/error.log w,  \n 2 - \/var\/log\/nginx\/*.log w, \n [3 - \/var\/log\/nginx\/* w,]<\/pre>\n
The filename has now been replaced by a single wildcard, meaning the process would be allowed to open any files in \/var\/log\/nginx<\/code> with write permissions.<\/p>\n
As already mentioned, the proposed rules only grant write permissions, but no read permissions, even if the file’s access rights would allow more. However, for a web server’s log file, write permissions are entirely sufficient. <\/p>\n
Subsequently, nginx<\/em> requests read access to various configuration files, for example \/etc\/nginx\/nginx.conf<\/code>. This file is located in the nginx<\/em> web server’s configuration directory, which contains other files that should also be readable. <\/p>\n
Profile: \/usr\/sbin\/nginx\nPath: \/etc\/nginx\/nginx.conf\nNew Mode: owner r\nSeverity: unknown\n\n [1 - owner \/etc\/nginx\/nginx.conf r,]<\/pre>\n
Here too, with G<\/code>, the rule can be extended to all files in the \/etc\/nginx<\/code> directory.<\/p>\n
 1 - owner \/etc\/nginx\/nginx.conf r, \n [2 - owner \/etc\/nginx\/* r,]<\/pre>\n
The same applies to the subdirectories of the configuration directory; these can be covered by globbing<\/em> as \/etc\/nginx\/*\/<\/code>.<\/p>\n
A special case for globbing is the files contained in those subdirectories:<\/p>\n
Profile: \/usr\/sbin\/nginx\nPath: \/etc\/nginx\/sites-available\/default\nNew Mode: owner r\nSeverity: unknown\n\n [1 - owner \/etc\/nginx\/sites-available\/default r,]<\/pre>\n
After entering G<\/code> twice, the wildcard **<\/code> is suggested after the wildcard *<\/code> known from above, which, as described in the previous article, covers all files located in subdirectories (and their subdirectories).<\/p>\n
 1 - owner \/etc\/nginx\/sites-available\/default r, \n 2 - owner \/etc\/nginx\/sites-available\/* r, \n [3 - owner \/etc\/nginx\/** r,]<\/pre>\n
The last steps also all contained the attribute owner<\/code>: this ensures that a rule only applies if the accessing process is also the owner of the file. If the file exists but belongs to someone else, access is denied. <\/p>\n
There are still some other paths and files such as \/usr\/share\/nginx\/modules-available\/<\/code>, \/run\/nginx.pid<\/code>, and \/proc\/sys\/kernel\/random\/boot_id<\/code>, which nginx<\/em> also requires for proper operation. However, the procedure remains unchanged. <\/p>\n
Once all events have been processed, the program concludes with the message:<\/p>\n
= Changed Local Profiles =\n\nThe following local profiles were changed. Would you like to save them? \n\n [1 - \/usr\/sbin\/nginx]\n(S)ave Changes \/ Save Selec(t)ed Profile \/ [(V)iew Changes] \/ View Changes b\/w (C)lean profiles \/ Abo(r)t<\/pre>\n
The options are clear: S<\/code> saves changes, while V<\/code> allows them to be viewed as a Diff<\/em> beforehand. The following listing shows the profile generated in the run above. <\/p>\n
include <tunables\/global>\n\nprofile nginx \/usr\/sbin\/nginx {\n include <abstractions\/base>\n include <abstractions\/nameservice>\n\n capability dac_override,\n capability dac_read_search,\n capability setgid,\n capability setuid,\n\n \/usr\/sbin\/nginx mr,\n\n \/var\/log\/nginx\/*.log w,\n\n \/var\/www\/html\/** r,\n\n owner \/etc\/nginx\/* r,\n owner \/etc\/nginx\/** r,\n\n owner \/run\/nginx.pid rw,\n\n owner \/usr\/share\/GeoIP\/*.mmdb r,\n owner \/usr\/share\/nginx\/modules-available\/*.conf r,\n\n owner \/var\/cache\/nginx\/** rw,\n owner \/var\/lib\/nginx\/** rw,\n}<\/pre>\n
After saving the changes, aa-genprof<\/code> returns to its start screen. Here, one could search for events in log files again or exit the program with F<\/code>. <\/p>\n
The program ends with the message:<\/p>\n
Setting \/usr\/sbin\/nginx to enforce mode.\n\nReloaded AppArmor profiles in enforce mode.<\/pre>\n
The profile just created has therefore been loaded and put into enforce mode<\/em>. This means that the program can only access what is allowed in the profile; all other access attempts are blocked by AppArmor and recorded in the Syslog<\/em>. <\/p>\n
For simple programs, the creation of a profile is thus complete, and AppArmor can perform its work; more complex programs, however, will show previously unknown behavior later on, which would be prevented by the profile created so far. In such cases, it helps to switch the profile to complain mode<\/em> using aa-complain<\/code>. <\/p>\n
# aa-complain nginx<\/pre>\n
Accesses that go beyond the known profile are generally allowed in complain mode<\/em> but are recorded in the Syslog<\/em>.<\/p>\n
Feb 18 15:25:50 web01 kernel: [ 9908.611408] audit: type=1400 audit(1645197950.338:100): apparmor=\"ALLOWED\" operation=\"open\" profile=\"nginx\" name=\"\/srv\/www\/index.html\" pid=4490 comm=\"nginx\" requested_mask=\"r\" denied_mask=\"r\" fsuid=33 ouid=0<\/pre>\n
In the excerpt from the Syslog<\/em> above, the webroot directory on host web01<\/code> was changed to \/srv\/www<\/code>, but the previously created AppArmor profile was not adjusted. Since the profile is now in complain mode<\/em>, access was still allowed: apparmor=\"ALLOWED\"<\/code>; in enforce mode<\/em>, it would say DENIED<\/code> and access would be denied. <\/p>\n
The remaining information clearly shows what happened: the process with process ID (pid<\/em>) 4190<\/code> tried to open the file \/srv\/www\/index.html<\/code> (name<\/em>) for reading (requested_mask<\/em>), which would, however, be forbidden (denied_mask<\/em>) due to the profile (profile<\/em>) nginx<\/code>.<\/p>\n
So, if software secured with AppArmor doesn’t work as expected, the first place to look is the Syslog<\/em>!<\/p>\n
After some time, there will be several entries there that should then be incorporated into the AppArmor profile. For this, the program aa-logprof<\/code> is used: it searches the Syslog<\/em> for entries and, in the manner of aa-genprof<\/code>, asks if and how entries should be created in the profile. This process can be repeated as often as necessary.  <\/p>\n
If no further entries are found in the Syslog, the profile has been sufficiently adjusted and can be switched back to enforce mode<\/em> with aa-enforce<\/code>:<\/p>\n
# aa-enforce nginx<\/pre>\n
This completes the basic creation of a simple AppArmor profile, and the nginx<\/em> processes are controlled and monitored according to the rules defined within it.<\/p>\n
We are Happy to Support You<\/h1>\n
Whether AppArmor, Debian, or PostgreSQL: with over 22+ years of development and service experience in the open-source sector, credativ GmbH can professionally support you with unparalleled and individually configurable support and assist you fully with all questions regarding your open-source infrastructure.<\/p>\n
Do you have questions about our article or would you like credativ’s specialists to look at another software of your choice?
\nThen visit us and contact us via our contact form<\/a> or write us an email at info@credativ.de<\/a>.<\/p>\n
About Credativ<\/h1>\n
credativ GmbH<\/a> is a vendor-independent consulting and service company based in M\u00f6nchengladbach.<\/p>\n","protected":false},"excerpt":{"rendered":"
As described in the previous post, access control on Unix-like systems is traditionally based on the principle of Discretionary Access Control (DAC). Applications and services run under a specific user and group ID and are granted the corresponding access rights to files and folders. AppArmor implements a Mandatory Access Control for Linux, based on the […]<\/p>\n","protected":false},"author":60,"featured_media":6774,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_improvement_type_select":"improve_an_existing","_thumb_yes_seoaic":false,"_frame_yes_seoaic":false,"seoaic_generate_description":"","seoaic_improve_instructions_prompt":"","seoaic_rollback_content_improvement":"","seoaic_idea_thumbnail_generator":"","thumbnail_generated":false,"thumbnail_generate_prompt":"","seoaic_article_description":"","seoaic_article_subtitles":[],"footnotes":""},"categories":[1883,1885],"tags":[1711,1775,1842,1761,1853,1861],"class_list":["post-18710","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-debian-en","category-howtos-en","tag-apparmor-en","tag-debian-en","tag-linux-en","tag-open-source-en","tag-security","tag-ubuntu-en"],"acf":[],"yoast_head":"\nManually Create an AppArmor Profile for Nginx - credativ\u00ae<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/manually-create-an-apparmor-profile-for-nginx\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Manually Create an AppArmor Profile for Nginx\" \/>\n<meta property=\"og:description\" content=\"As described in the previous post, access control on Unix-like systems is traditionally based on the principle of Discretionary Access Control (DAC). Applications and services run under a specific user and group ID and are granted the corresponding access rights to files and folders. AppArmor implements a Mandatory Access Control for Linux, based on the […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/manually-create-an-apparmor-profile-for-nginx\/\" \/>\n<meta property=\"og:site_name\" content=\"credativ\u00ae\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/credativDE\/\" \/>\n<meta property=\"article:published_time\" content=\"2022-04-26T07:00:52+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.credativ.de\/wp-content\/uploads\/2022\/04\/apparmor_profile_2500x300.png\" \/>\n\t<meta property=\"og:image:width\" content=\"2500\" \/>\n\t<meta property=\"og:image:height\" content=\"300\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Jan Bolle\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@bollejansson\" \/>\n<meta name=\"twitter:site\" content=\"@credativde\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jan Bolle\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/manually-create-an-apparmor-profile-for-nginx\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/manually-create-an-apparmor-profile-for-nginx\\\/\"},\"author\":{\"name\":\"Jan Bolle\",\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/#\\\/schema\\\/person\\\/f33560ea675ef6722c4459154b42606e\"},\"headline\":\"Manually Create an AppArmor Profile for Nginx\",\"datePublished\":\"2022-04-26T07:00:52+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/manually-create-an-apparmor-profile-for-nginx\\\/\"},\"wordCount\":1609,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/manually-create-an-apparmor-profile-for-nginx\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.credativ.de\\\/wp-content\\\/uploads\\\/2022\\\/04\\\/apparmor_profile_2500x300.png\",\"keywords\":[\"AppArmor\",\"Debian\",\"Linux\",\"Open Source\",\"Security\",\"Ubuntu\"],\"articleSection\":[\"Debian\",\"HowTos\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/manually-create-an-apparmor-profile-for-nginx\\\/#respond\"]}],\"copyrightYear\":\"2022\",\"copyrightHolder\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/#organization\"}},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/manually-create-an-apparmor-profile-for-nginx\\\/\",\"url\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/manually-create-an-apparmor-profile-for-nginx\\\/\",\"name\":\"Manually Create an AppArmor Profile for Nginx - credativ\u00ae\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/manually-create-an-apparmor-profile-for-nginx\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/manually-create-an-apparmor-profile-for-nginx\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.credativ.de\\\/wp-content\\\/uploads\\\/2022\\\/04\\\/apparmor_profile_2500x300.png\",\"datePublished\":\"2022-04-26T07:00:52+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/manually-create-an-apparmor-profile-for-nginx\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/manually-create-an-apparmor-profile-for-nginx\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/manually-create-an-apparmor-profile-for-nginx\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.credativ.de\\\/wp-content\\\/uploads\\\/2022\\\/04\\\/apparmor_profile_2500x300.png\",\"contentUrl\":\"https:\\\/\\\/www.credativ.de\\\/wp-content\\\/uploads\\\/2022\\\/04\\\/apparmor_profile_2500x300.png\",\"width\":2500,\"height\":300},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/manually-create-an-apparmor-profile-for-nginx\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Manually Create an AppArmor Profile for Nginx\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/\",\"name\":\"credativ GmbH\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Organization\",\"Place\"],\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/#organization\",\"name\":\"credativ\u00ae\",\"url\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/\",\"logo\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/manually-create-an-apparmor-profile-for-nginx\\\/#local-main-organization-logo\"},\"image\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/manually-create-an-apparmor-profile-for-nginx\\\/#local-main-organization-logo\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/credativDE\\\/\",\"https:\\\/\\\/x.com\\\/credativde\",\"https:\\\/\\\/mastodon.social\\\/@credativde\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/credativ-gmbh\",\"https:\\\/\\\/www.instagram.com\\\/credativ\\\/\"],\"description\":\"Die credativ GmbH ist ein f\u00fchrendes, auf Open Source Software spezialisiertes IT-Dienstleistungs- und Beratungsunternehmen. Wir bieten umfassende und professionelle Services, von Beratung und Infrastruktur-Betrieb \u00fcber 24\\\/7 Support bis hin zu individuellen L\u00f6sungen und Schulungen. Unser Fokus liegt auf dem ganzheitlichen Management von gesch\u00e4ftskritischen Open-Source-Systemen, darunter Betriebssysteme (z.B. Linux), Datenbanken (z.B. PostgreSQL), Konfigurationsmanagement (z.B. Ansible, Puppet) und Virtualisierung. Als engagierter Teil der Open-Source-Community unterst\u00fctzen wir unsere Kunden dabei, die Vorteile freier Software sicher, stabil und effizient in ihrer IT-Umgebung zu nutzen.\",\"legalName\":\"credativ GmbH\",\"foundingDate\":\"2025-03-01\",\"duns\":\"316387060\",\"numberOfEmployees\":{\"@type\":\"QuantitativeValue\",\"minValue\":\"11\",\"maxValue\":\"50\"},\"address\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/manually-create-an-apparmor-profile-for-nginx\\\/#local-main-place-address\"},\"geo\":{\"@type\":\"GeoCoordinates\",\"latitude\":\"51.1732374\",\"longitude\":\"6.392010099999999\"},\"telephone\":[\"+4921619174200\",\"08002733284\"],\"contactPoint\":{\"@type\":\"ContactPoint\",\"telephone\":\"08002733284\",\"email\":\"vertrieb@credativ.de\"},\"openingHoursSpecification\":[{\"@type\":\"OpeningHoursSpecification\",\"dayOfWeek\":[\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\"],\"opens\":\"09:00\",\"closes\":\"17:00\"},{\"@type\":\"OpeningHoursSpecification\",\"dayOfWeek\":[\"Saturday\",\"Sunday\"],\"opens\":\"00:00\",\"closes\":\"00:00\"}],\"email\":\"info@credativ.de\",\"areaServed\":\"D-A-CH\",\"vatID\":\"DE452151696\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/#\\\/schema\\\/person\\\/f33560ea675ef6722c4459154b42606e\",\"name\":\"Jan Bolle\",\"description\":\"Jan arbeitet seit 2020 an Projekten des Support\u2013Teams und der Internen IT, nachdem er bereits sein Praktikum im Rahmen seines Informatikstudiums bei credativ absolvierte und auch seine Bachelorarbeit zum Thema Einmalpassw\u00f6rter, Zwei\u2013Faktor\u2013Authentisierung und OpenVPN bei credativ schrieb. Bereits zu Schulzeiten interessierte er sich f\u00fcr Freie Software, Netzwerke und Telekommunikation und richtete zusammen mit Mitsch\u00fclern ein Internetcaf\u00e9 ein, auf dessen Server und Clients Debian GNU\\\/Linux seinen Dienst verrichtete.\",\"sameAs\":[\"https:\\\/\\\/x.com\\\/bollejansson\"]},{\"@type\":\"PostalAddress\",\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/manually-create-an-apparmor-profile-for-nginx\\\/#local-main-place-address\",\"streetAddress\":\"Hennes-Weisweiler-Allee 23\",\"addressLocality\":\"M\u00f6nchengladbach\",\"postalCode\":\"41179\",\"addressRegion\":\"Deutschland\",\"addressCountry\":\"DE\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/manually-create-an-apparmor-profile-for-nginx\\\/#local-main-organization-logo\",\"url\":\"https:\\\/\\\/www.credativ.de\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/credativ-logo-right.svg\",\"contentUrl\":\"https:\\\/\\\/www.credativ.de\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/credativ-logo-right.svg\",\"caption\":\"credativ\u00ae\"}]}<\/script>\n<meta name=\"geo.placename\" content=\"M\u00f6nchengladbach\" \/>\n<meta name=\"geo.position\" content=\"51.1732374;6.392010099999999\" \/>\n<meta name=\"geo.region\" content=\"Germany\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Manually Create an AppArmor Profile for Nginx - credativ\u00ae","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/manually-create-an-apparmor-profile-for-nginx\/","og_locale":"en_US","og_type":"article","og_title":"Manually Create an AppArmor Profile for Nginx","og_description":"As described in the previous post, access control on Unix-like systems is traditionally based on the principle of Discretionary Access Control (DAC). Applications and services run under a specific user and group ID and are granted the corresponding access rights to files and folders. AppArmor implements a Mandatory Access Control for Linux, based on the […]","og_url":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/manually-create-an-apparmor-profile-for-nginx\/","og_site_name":"credativ\u00ae","article_publisher":"https:\/\/www.facebook.com\/credativDE\/","article_published_time":"2022-04-26T07:00:52+00:00","og_image":[{"width":2500,"height":300,"url":"https:\/\/www.credativ.de\/wp-content\/uploads\/2022\/04\/apparmor_profile_2500x300.png","type":"image\/png"}],"author":"Jan Bolle","twitter_card":"summary_large_image","twitter_creator":"@bollejansson","twitter_site":"@credativde","twitter_misc":{"Written by":"Jan Bolle","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/manually-create-an-apparmor-profile-for-nginx\/#article","isPartOf":{"@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/manually-create-an-apparmor-profile-for-nginx\/"},"author":{"name":"Jan Bolle","@id":"https:\/\/www.credativ.de\/en\/#\/schema\/person\/f33560ea675ef6722c4459154b42606e"},"headline":"Manually Create an AppArmor Profile for Nginx","datePublished":"2022-04-26T07:00:52+00:00","mainEntityOfPage":{"@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/manually-create-an-apparmor-profile-for-nginx\/"},"wordCount":1609,"commentCount":0,"publisher":{"@id":"https:\/\/www.credativ.de\/en\/#organization"},"image":{"@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/manually-create-an-apparmor-profile-for-nginx\/#primaryimage"},"thumbnailUrl":"https:\/\/www.credativ.de\/wp-content\/uploads\/2022\/04\/apparmor_profile_2500x300.png","keywords":["AppArmor","Debian","Linux","Open Source","Security","Ubuntu"],"articleSection":["Debian","HowTos"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.credativ.de\/en\/blog\/howtos-en\/manually-create-an-apparmor-profile-for-nginx\/#respond"]}],"copyrightYear":"2022","copyrightHolder":{"@id":"https:\/\/www.credativ.de\/#organization"}},{"@type":"WebPage","@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/manually-create-an-apparmor-profile-for-nginx\/","url":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/manually-create-an-apparmor-profile-for-nginx\/","name":"Manually Create an AppArmor Profile for Nginx - credativ\u00ae","isPartOf":{"@id":"https:\/\/www.credativ.de\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/manually-create-an-apparmor-profile-for-nginx\/#primaryimage"},"image":{"@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/manually-create-an-apparmor-profile-for-nginx\/#primaryimage"},"thumbnailUrl":"https:\/\/www.credativ.de\/wp-content\/uploads\/2022\/04\/apparmor_profile_2500x300.png","datePublished":"2022-04-26T07:00:52+00:00","breadcrumb":{"@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/manually-create-an-apparmor-profile-for-nginx\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.credativ.de\/en\/blog\/howtos-en\/manually-create-an-apparmor-profile-for-nginx\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/manually-create-an-apparmor-profile-for-nginx\/#primaryimage","url":"https:\/\/www.credativ.de\/wp-content\/uploads\/2022\/04\/apparmor_profile_2500x300.png","contentUrl":"https:\/\/www.credativ.de\/wp-content\/uploads\/2022\/04\/apparmor_profile_2500x300.png","width":2500,"height":300},{"@type":"BreadcrumbList","@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/manually-create-an-apparmor-profile-for-nginx\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.credativ.de\/en\/"},{"@type":"ListItem","position":2,"name":"Manually Create an AppArmor Profile for Nginx"}]},{"@type":"WebSite","@id":"https:\/\/www.credativ.de\/en\/#website","url":"https:\/\/www.credativ.de\/en\/","name":"credativ GmbH","description":"","publisher":{"@id":"https:\/\/www.credativ.de\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.credativ.de\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Organization","Place"],"@id":"https:\/\/www.credativ.de\/en\/#organization","name":"credativ\u00ae","url":"https:\/\/www.credativ.de\/en\/","logo":{"@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/manually-create-an-apparmor-profile-for-nginx\/#local-main-organization-logo"},"image":{"@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/manually-create-an-apparmor-profile-for-nginx\/#local-main-organization-logo"},"sameAs":["https:\/\/www.facebook.com\/credativDE\/","https:\/\/x.com\/credativde","https:\/\/mastodon.social\/@credativde","https:\/\/www.linkedin.com\/company\/credativ-gmbh","https:\/\/www.instagram.com\/credativ\/"],"description":"Die credativ GmbH ist ein f\u00fchrendes, auf Open Source Software spezialisiertes IT-Dienstleistungs- und Beratungsunternehmen. Wir bieten umfassende und professionelle Services, von Beratung und Infrastruktur-Betrieb \u00fcber 24\/7 Support bis hin zu individuellen L\u00f6sungen und Schulungen. Unser Fokus liegt auf dem ganzheitlichen Management von gesch\u00e4ftskritischen Open-Source-Systemen, darunter Betriebssysteme (z.B. Linux), Datenbanken (z.B. PostgreSQL), Konfigurationsmanagement (z.B. Ansible, Puppet) und Virtualisierung. Als engagierter Teil der Open-Source-Community unterst\u00fctzen wir unsere Kunden dabei, die Vorteile freier Software sicher, stabil und effizient in ihrer IT-Umgebung zu nutzen.","legalName":"credativ GmbH","foundingDate":"2025-03-01","duns":"316387060","numberOfEmployees":{"@type":"QuantitativeValue","minValue":"11","maxValue":"50"},"address":{"@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/manually-create-an-apparmor-profile-for-nginx\/#local-main-place-address"},"geo":{"@type":"GeoCoordinates","latitude":"51.1732374","longitude":"6.392010099999999"},"telephone":["+4921619174200","08002733284"],"contactPoint":{"@type":"ContactPoint","telephone":"08002733284","email":"vertrieb@credativ.de"},"openingHoursSpecification":[{"@type":"OpeningHoursSpecification","dayOfWeek":["Monday","Tuesday","Wednesday","Thursday","Friday"],"opens":"09:00","closes":"17:00"},{"@type":"OpeningHoursSpecification","dayOfWeek":["Saturday","Sunday"],"opens":"00:00","closes":"00:00"}],"email":"info@credativ.de","areaServed":"D-A-CH","vatID":"DE452151696"},{"@type":"Person","@id":"https:\/\/www.credativ.de\/en\/#\/schema\/person\/f33560ea675ef6722c4459154b42606e","name":"Jan Bolle","description":"Jan arbeitet seit 2020 an Projekten des Support\u2013Teams und der Internen IT, nachdem er bereits sein Praktikum im Rahmen seines Informatikstudiums bei credativ absolvierte und auch seine Bachelorarbeit zum Thema Einmalpassw\u00f6rter, Zwei\u2013Faktor\u2013Authentisierung und OpenVPN bei credativ schrieb. Bereits zu Schulzeiten interessierte er sich f\u00fcr Freie Software, Netzwerke und Telekommunikation und richtete zusammen mit Mitsch\u00fclern ein Internetcaf\u00e9 ein, auf dessen Server und Clients Debian GNU\/Linux seinen Dienst verrichtete.","sameAs":["https:\/\/x.com\/bollejansson"]},{"@type":"PostalAddress","@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/manually-create-an-apparmor-profile-for-nginx\/#local-main-place-address","streetAddress":"Hennes-Weisweiler-Allee 23","addressLocality":"M\u00f6nchengladbach","postalCode":"41179","addressRegion":"Deutschland","addressCountry":"DE"},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/manually-create-an-apparmor-profile-for-nginx\/#local-main-organization-logo","url":"https:\/\/www.credativ.de\/wp-content\/uploads\/2025\/04\/credativ-logo-right.svg","contentUrl":"https:\/\/www.credativ.de\/wp-content\/uploads\/2025\/04\/credativ-logo-right.svg","caption":"credativ\u00ae"}]},"geo.placename":"M\u00f6nchengladbach","geo.position":{"lat":"51.1732374","long":"6.392010099999999"},"geo.region":"Germany"},"_links":{"self":[{"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/posts\/18710","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/users\/60"}],"replies":[{"embeddable":true,"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/comments?post=18710"}],"version-history":[{"count":0,"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/posts\/18710\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/media\/6774"}],"wp:attachment":[{"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/media?parent=18710"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/categories?post=18710"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/tags?post=18710"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}