Advertisement
Quick Links
Novell AppArmor (for SLE 10 SP2)
Quick Start
This document helps you understand the main concepts behind Novell® AppArmor—the content of AppArmor
profiles. Learn how to create or modify AppArmor profiles. You can create and manage AppArmor profiles in
three different ways. The most convenient interface to AppArmor is provided by means of the AppArmor YaST
modules which can be used either in graphical or ncurses mode. The same functionality is provided by the
AppArmor command line tools or if you just edit the profiles in a text editor.
AppArmor Modes
complain/learning
In complain or learning mode, violations of AppArmor
profile rules, such as the profiled program accessing files
not permitted by the profile, are detected. The violations
are permitted, but also logged. This mode is convenient
for developing profiles and is used by the AppArmor
tools for generating profiles.
enforce
Loading a profile in enforcement mode enforces the
policy defined in the profile as well as reports policy vi-
olation attempts to syslogd.
Starting and Stopping AppArmor
Use the rcapparmor command with one of the following
parameters:
start
Load the kernel module, mount securityfs, parse and
load profiles. Profiles and confinement are applied to
any application started after this command was executed.
Processes already running at the time AppArmor is
started continue to run unconfined.
stop
Unmount securityfs, and invalidate profiles.
reload
Reload profiles.
status
If AppArmor is enabled, output how many profiles are
loaded in complain or enforce mode.
Use the rcaaeventd command to control event logging
with aa-eventd. Use the start and stop options to toggle
the status of the aa-eventd and check its status using the
status.
AppArmor Command Line Tools
autodep
Guess basic AppArmor profile requirements. autodep
creates a stub profile for the program or application
examined. The resulting profile is called "approximate"
because it does not necessarily contain all of the profile
entries that the program needs to be confined properly.
complain
Set an AppArmor profile to complain mode.
Manually activating complain mode (using the command
line) adds a flag to the top of the profile so that
/bin/foo becomes /bin/foo flags=(complain).
enforce
Set an AppArmor profile to enforce mode from complain
mode.
1
NOVELL® QUICK START CARD
Advertisement
Related Manuals for Novell APPARMOR - QUICKSTART CARD 2
Summary of Contents for Novell APPARMOR - QUICKSTART CARD 2
- Page 1 Quick Start NOVELL® QUICK START CARD This document helps you understand the main concepts behind Novell® AppArmor—the content of AppArmor profiles. Learn how to create or modify AppArmor profiles. You can create and manage AppArmor profiles in three different ways. The most convenient interface to AppArmor is provided by means of the AppArmor YaST modules which can be used either in graphical or ncurses mode.
-
Page 2: Learning Mode
Manually activiating enforce mode (using the command Edit line) removes mode flags from the top of the profile Enable editing of the highlighted line. The new (edited) /bin/foo flags=(complain) becomes /bin/foo. line appears at the bottom of the list. This option is called New in the logprof and genprof command line tools. - Page 3 To assist you in profiling your applications, AppArmor pro- Option File Description vides three classes of #includes: abstractions, program for security reasons. This mode chunks, and variables. makes use of environment scrub- bing. Abstractions are #includes that are grouped by common Allow Exe- allow PROT_EXEC with mmap(2) application tasks.
-
Page 4: Logging And Auditing
Virtualized file representing the currently loaded set of [http://www.novell.com/company/legal/ profiles. trademarks/tmlist.html]. All third-party trademarks are the property of their respective owners. A trademark /etc/apparmor/ symbol (® , ™, etc.) denotes a Novell trademark; an asterisk Location of AppArmor configuration files. (*) denotes a third-party trademark. - Page 5 Created by SUSE® with XSL-FO...