Table of Contents
Advertisement
Web Applications
CGI Perl scripts, PHP pages, and more complex Web applications can be started
through a Web browser.
Cron Jobs
Programs that the cron daemon periodically run read input from a variety of sources.
To find out which processes are currently running with open network ports and might
need a profile to confine them, run aa-unconfined as root.
Example 49.1 Output of aa-unconfined
19848 /usr/sbin/cupsd not confined
19887 /usr/sbin/sshd not confined
19947 /usr/lib/postfix/master not confined
29205 /usr/sbin/sshd confined by '/usr/sbin/sshd (enforce)'
Each of the processes in the above example labeled not confined might need a
custom profile to confine it. Those labeled confined by are already protected by
AppArmor.
TIP: For More Information
For more information about choosing the the right applications to profile, refer
to Chapter 2, Selecting Programs to Immunize (↑Novell AppArmor 2.0 Admin-
istration Guide).
49.3.2 Building and Modifying Profiles
Novell AppArmor on SUSE Linux Enterprise ships with a preconfigured set of profiles
for the most important applications. In addition to that, you can use AppArmor to create
your own profiles for any application you want.
There are two ways of managing profiles. One is to use the graphical front-end provided
by the YaST Novell AppArmor modules and the other is to use the command line tools
provided by the AppArmor suite itself. Both methods basically work the same way.
Running aa-unconfined as described in
Profile"
(page 882) identifies a list of applications that may need a profile to run in a
safe mode.
Section 49.3.1, "Choosing the Applications to
Confining Privileges with AppArmor
883
Advertisement
Table of Contents
Troubleshooting
