Download
Share
Print this page
  1. Manuals
  2. Brands
  3. Novell Manuals
  4. Software
  5. APPARMOR - AND
  6. Quick start card

Novell APPARMOR Quick Start Card

Hide thumbs Also See for APPARMOR:
1
2
3
4
5
6
7

Advertisement

Quick Links

Download this manual See also: Admin Manual
Novell AppArmor (2.3.1) Quick Start
This document helps you understand the main concepts behind Novell® AppArmor—the content of AppArmor
profiles. Learn how to create or modify AppArmor profiles. You can create and manage AppArmor profiles in
three different ways. The most convenient interface to AppArmor is provided by means of the AppArmor YaST
modules which can be used either in graphical or ncurses mode. The same functionality is provided by the
AppArmor command line tools or if you just edit the profiles in a text editor.
AppArmor Modes
complain/learning
In complain or learning mode, violations of AppArmor
profile rules, such as the profiled program accessing files
not permitted by the profile, are detected. The violations
are permitted, but also logged. This mode is convenient
for developing profiles and is used by the AppArmor
tools for generating profiles.
enforce
Loading a profile in enforcement mode enforces the
policy defined in the profile as well as reports policy vi-
olation attempts to syslogd.
Starting and Stopping AppArmor
Use the rcapparmor command with one of the following
parameters:
start
Load the kernel module, mount securityfs, parse and
load profiles. Profiles and confinement are applied to
any application started after this command was executed.
Processes already running at the time AppArmor is
started continue to run unconfined.
stop
Unmount securityfs, and invalidate profiles.
reload
Reload profiles.
status
If AppArmor is enabled, output how many profiles are
loaded in complain or enforce mode.
Use the rcaaeventd command to control event logging
with aa-eventd. Use the start and stop options to toggle
the status of the aa-eventd and check its status using the
status.
AppArmor Command Line Tools
autodep
Guess basic AppArmor profile requirements. autodep
creates a stub profile for the program or application
examined. The resulting profile is called "approximate"
because it does not necessarily contain all of the profile
entries that the program needs to be confined properly.
complain
Set an AppArmor profile to complain mode.
Manually activating complain mode (using the command
line) adds a flag to the top of the profile so that
/bin/foo becomes /bin/foo flags=(complain).
enforce
Set an AppArmor profile to enforce mode from complain
mode.
1
NOVELL® QUICK START CARD

Advertisement

loading

Related Manuals for Novell APPARMOR

Summary of Contents for Novell APPARMOR

  • Page 1 Novell AppArmor (2.3.1) Quick Start NOVELL® QUICK START CARD This document helps you understand the main concepts behind Novell® AppArmor—the content of AppArmor profiles. Learn how to create or modify AppArmor profiles. You can create and manage AppArmor profiles in three different ways.

  • Page 2: Learning Mode

    Manually activating enforce mode (using the command Edit line) removes mode flags from the top of the profile Enable editing of the highlighted line. The new (edited) /bin/foo flags=(complain) becomes /bin/foo. line appears at the bottom of the list. This option is called New in the logprof and genprof command line tools.
  • Page 3 For more information alias /home/ -> /mnt/users/ see Part “Confining Privileges with Novell AppArmor” (↑Se- curity Guide).
  • Page 4 Rules: Owner Conditional Rules /some/random/example/* r Allow read access to files in the /some/random/ The file rules can be extended so that they can be condi- example directory. tional upon the the user being the owner of the file. by /some/random/example/ r prepending the keyword owner to the rule.

  • Page 5: Logging And Auditing

    Legal Notice Use YaST for generating reports in CSV or HTML format. All content is copyright © 2006- 2009 Novell, Inc. The Linux audit framework contains a dispatcher that can This manual is protected under Novell intellectual property send AppArmor events to any consumer application via rights.
  • Page 6 The express autho- an asterisk (*) denotes a third party trademark. rization of Novell, Inc must be obtained prior to any other All information found in this book has been compiled with use of any manual or part thereof.
  • Page 7 Created by SUSE® with XSL-FO...

This manual is also suitable for:

Apparmor 2.3.1