Apparmor is a mandatory access control mechanism (MAC) implemented as a Linux kernel security module. It allows the system administrator to restrict programs' capabilities with per-program profiles. Its goal is similar to selinux or grsecurity. (See https://issues.roundup-tracker.org/issue1113861 for a starter selinux configuration.)
Apparmor uses file paths to implement security boundaries. The following apparmor config supports using roundup-server3 (the python 3 instance) with a sqlite back end for roundup. It would need to be changed to use mysql or postgreql back ends.Probably by allowing read/write access to the database socket.
This was implemented on Ubuntu 18.04 LTS.
For this example, the roundup software is installed in /home/roundup/local/.... The demo tracker is installed in /home/roundup/roundup.demo.
#include <tunables/global> # define paths here @{ROUNDUP_TRACKERS} = /home/roundup/roundup.demo @{ROUNDUP_LOCALE} = /home/roundup/local/share/locale @{ROUNDUP_SITE_PACKAGES} = /home/roundup/local/lib/python3.*/site-packages @{ROUNDUP_BIN_DIR} = /home/roundup/local/bin/ # set the policy for the roundup-server running under python 3 /home/roundup/local/bin/roundup-server3 { # Allow binding to ports #include <abstractions/apache2-common> #include <abstractions/base> # allow access to installed python support libs. #include <abstractions/python> # Allow tempfile to work #include <abstractions/user-tmp> # execute the python binary /usr/bin/python3.* ix, # read mime types /etc/mime.types r, # allow reading of the roundup-server script by python 3 @{ROUNDUP_BIN_DIR}/roundup-server3 r, # allow read access to the trackers directory @{ROUNDUP_TRACKERS}/ r, # and all files underneath @{ROUNDUP_TRACKERS}/** r, # and allow writing to all files under the db directory @{ROUNDUP_TRACKERS}/db/** rw, # allow writing to the log files at the root of the tracker and allow them to be rotated @{ROUNDUP_TRACKERS}/*.log rw, @{ROUNDUP_TRACKERS}/roundup.log.* rw, # this is unique to my tracker. It has an rss feed. Allow roundup to write the file in the html subdir. @{ROUNDUP_TRACKERS}/html/rss.xml rw, # allow read access to the roundup scripts @{ROUNDUP_BIN_DIR}/ r, # allow read access to the roundup support libraries and locale files since they are not installed under /usr/lib/python... @{ROUNDUP_SITE_PACKAGES}/ r, @{ROUNDUP_SITE_PACKAGES}/** r, @{ROUNDUP_LOCALE}/** r, }