1. Manuals
  2. Brands
  3. Novell Manuals
  4. Software
  5. APPARMOR - AND
  6. Admin manual

Novell APPARMOR Admin Manual

Hide thumbs Also See for APPARMOR:
Table of Contents

Advertisement

Quick Links

Download this manual
Novell AppArmor
Powered by Immunix
Admin Guide

Advertisement

Table of Contents
loading

Related Manuals for Novell APPARMOR

Summary of Contents for Novell APPARMOR

  • Page 1 Novell AppArmor Powered by Immunix Admin Guide...

  • Page 2: Table Of Contents

    U s e r ’ s G u i d e Introduction to AppArmor 3 C o n v e n t i o n s U s e d i n T h i s U s e r ’ s G u i d e 3 Manual Text 3 Examples, Notes and Warnings 4 Command 4...
  • Page 3 Delete AppArmor Profile. 47 Two Methods of Profiling 47 Standalone Profiling 48 Systemic Profiling 48 Summary of Profiling Tools 50 Enforce Mode 52 Path Names and Regular Expression Matching 66 File Permission Access Modes 66 Read Mode 67 Write Mode 67 Discrete Profile Execute Mode 67 Unconstrained Execute Mode 67 Inherit Execute Mode 68...

  • Page 4: C O N V E N T I O N S U S E D I N T H I S U S E R ' S G U I D E

    Novell AppArmor secures applications by dif- f e r e n t i a t i n g b e t w e e n “ g o o d ” a n d “ b a d ” b e h a v i o r s , p e r mi t t i n g t h e g o o d and preventing the bad.

  • Page 5: Examples, Notes And Warnings

    C o n v e n t i o n s U s e d i n T h i s U s e r ’ s G u i d e Key names are listed as they appear on your keyboard, as in Enter and Esc (for Escape).

  • Page 6: Prompts

    Chapter 4: How to Build Novell AppArmor Profiles describes how to use the Novell AppArmor tools to immunize your own programs and party programs that you may have installed on your SuSe Linux. It also helps you to add, edit or delete profiles that have been created for your applications.

  • Page 7: Apparmor Installation

    ( G U I ) o r b y u s i n g t h e c o mma n d l i n e ( r e f e r t o “...
  • Page 8 • Edit Profile: Edits an existing Novell AppArmor profile on your sys- t e m. F o r d e t a i l e d s t e p s , r e f e r t o “ Editing a Novell AppArmor Profile”...
  • Page 9 “ Creating Reports” o n p a g e7 4 . • Novell AppArmor Control Panel: F o r d e t a i l e d s t e p s , r e f e r t o “ Man-...

  • Page 10: Why Immunize Programs

    Immunizing programs. Proceed to Chapter 4: How to Build Novell AppArmor Profiles i f y o u ’ r e r e a d y t o b u i l d a n d ma n a g e Novell AppArmor profiles.

  • Page 11: What Should You Immunize

    How To Immunize With Novell AppArmor Chapter 3 What Should You Immunize? Novell AppArmor quarantines programs to protect the rest of the sys- tem from being damaged by a compromised process. Thus programs that need profiling are those that mediate privilege. For example,...

  • Page 12: Immunizing Setuid Programs

    SuSE Linux, by default, stores web applications in /srv/www/cgi-bin/. To the maximum extent possible, each web application should have an Novell AppArmor profile. Because CGI programs are to be executed by the Apache web server, the profile for Apache itself usr.sbin.httpd2-prefork (for Apache...
  • Page 13 Apache web server. The Novell AppArmor installer installs this modified Apache web server along with change_hat. Novell AppArmor for Apache is pro- vided by the mod_change_hat Apache module. To take advantage o f t h e s u b - p r o c e s s c o n f i n e me n t , r e f e r t o “ Apache ChangeHat” o n page 79.

  • Page 14: Immunizing Network Agents

    /home/*/public_html/** /srv/www/htdocs/** /srv/www/icons/*.{gif,jpg,png} /usr/share/apache2/** If you want a single Novell AppArmor profile for all web pages and CGI scripts served by Apache, then editing the DEFAULT_URI subprofile is a good approach. Immunizing Network Agents To find network server daemons that should be profiled, you should...
  • Page 15 - n l p , ” t h e unconfined tool inspects your open ports from inside your computer, detects the programs associated with those ports, inspects the set of Novell AppArmor profiles that you have loaded. Unconfined then reports these programs along with the Novell AppAr- mor profile associated with each program, or reports "none"...
  • Page 16 U s e r ’ s G u i d e Notes: Requires root privilege, and should not itself be run from within a Novell AppArmor profile. unconfined does not distinguish between one network interface and another, and so it will report all unconfined processes, even those that may be listening to an internal LAN interface.

  • Page 17: Profile Components And Syntax

    A n e x a mp l e i l l u s t r a t i n g t h i s s y n t a x i s p r e s e n t e d o n “ Breaking Down the Novell AppArmor Profile Into Its Parts” o n p a g e1 7 .
  • Page 18 Subsequent lines within the brackets {}: The rest of the lines take one of several forms: • #include directives that pull in components of Novell AppArmor profiles to simplify profiles. • Capability Entries statements that enable each of the 32 POSIX.1e capabilities.

  • Page 19: Include

    Attempts to violate Novell AppArmor rules are recorded in syslog. In many cases, Novell AppArmor rules will prevent an attack from work- ing because necessary files are not accessible, and in all cases Novell AppArmor confinement bounds the damage that the attacker can do to the set of files permitted by Novell AppArmor.

  • Page 20: Capability Entries (Posix.1E)

    Each chunk is used by a single program; these are provided to ease local-site modifications to policy and updates to policy provided by Novell. Administrators can modify policy in these files to suit their own needs, leaving the program profiles unmodified, which will simplify the task of merging policy updates from Novell into enforced policy at each site.

  • Page 21: To Use The Yast Gui

    The YaST ncurses Console has the same features as the YaST GUI. R e f e r t o t h e i n s t r u c t i o n s “ Building Novell AppArmor Profiles With the YaST GUI”...

  • Page 22: Building Apparmor Profiles With The Yast Gui

    U s e r ’ s G u i d e ing Novell AppArmor Profiles Using the Command-line Interface” o n page 46. The Command-line Interface offers access to a few tools that are not available using the other Novell AppArmor managing methods. These tools are: •...
  • Page 23 • Edit Profile: Edits an existing Novell AppArmor profile on your sys- t e m. F o r d e t a i l e d s t e p s , r e f e r t o “ Editing a Novell AppArmor Profile”...

  • Page 24: Using The Add Profile Wizard

    2. I f y o u h a v e n ’...
  • Page 25 The Novell AppArmor GenProf Profiling Wizard window displays. 5. In the background, Novell AppArmor also sets the profile to learn- i n g mo d e . F o r mo r e i n f o r ma t i o n o n l e a r n i n g mo d e , r e f e r t o “ Com- plain or Learning Mode”...
  • Page 26 U s e r ’ s G u i d e Hat?” o n p a g e7 9 . The questions will fall into two categories: • A resource is requested by a profiled program that is not in the pro- file (see Figure 1 below) •...
  • Page 27 All of these options are not always available. • #include: An include is the section of a Novell AppArmor pro- file that refers to an include file. Include files procure access permissions for programs. By using an include, you can give the program access to directory paths or files that are also required by other programs.
  • Page 28 10.Once you select a directory path, you need to process it as an entry into the Novell AppArmor profile by clicking Allow or Deny. If you are not satisfied with the directory path entry as it is displayed, you can also Glob or Edit it.

  • Page 29: Editing A Apparmor Profile

    You simply need to select the exisitng profile, then add, edit, or delete entries.To edit a profile, follow these steps: 1. To edit a profile, open the YaST GUI and click Novell AppArmor. The Novell AppArmor GUI now displays.
  • Page 30 U s e r ’ s G u i d e 2. From Novell AppArmor, click the Edit Profile icon. The Edit Profile - Choose Profile to Edit window displays. 3. From the list of profiled programs, select the profile you would like...
  • Page 31 Building Novell AppArmor Profiles With the YaST GUI 4. Click the Next button. The Novell AppArmor Profile Dialog window displays the profile. 5. From the Novell AppArmor Profile Dialog window, You can Add, Edit or Delete Novell AppArmor profile entries by clicking the corre- s p o n d i n g b u t t o n s a n d r e f e r r i n g t o t h e f o l l o w i n g s e c t i o n s : “...

  • Page 32: Deleting A Profile

    . Y o u s i mp l y n e e d t o s e l e c t t h e a p p l i c a t i o n y o u ’ d l i k e t o d e l e t e a profile for, then delete it as follows: 1. To delete a profile, open the YaST GUI and click Novell AppAr- mor. The Novell AppArmor interface displays.

  • Page 33: Update Profiles From Syslog Entries

    5. Click the Yes button to delete the profile. Update Profiles From Syslog Entries The Novell AppArmor Profiling wizard uses LogProf, the tool that scans log files and enables you to update profiles. LogProf tracks mes- sages from the Novell AppArmor module that represent exceptions for all profiles running on your system.
  • Page 34 U s e r ’ s G u i d e The questions will fall into two categories: • A resource is requested by a profiled program that is not in the pro- file (see Figure 1 below) • Or A program is executed by the profiled program and the security domain transition has not been defined (see Figure 2 below).
  • Page 35 All of these options are not always available. • #include: An include is the section of a Novell AppArmor pro- file that refers to an include file. Include files procure access permissions for programs. By using an include, you can give the program access to directory paths or files that are also required by other programs.
  • Page 36 4. Once you select a directory path, you need to process it as an entry into the Novell AppArmor profile by clicking Allow or Deny. If you are not satisfied with the directory path entry as it is displayed, you can also Glob or Edit it.

  • Page 37: Manually Adding A Profile

    ’ d l i k e t o c r e a t e a p r o f i l e f o r , t h e n a d d e n t r i e s . 1. To add a profile, open the YaST GUI and click Novell AppArmor.
  • Page 38 U s e r ’ s G u i d e 2. From Novell AppArmor, click the Manually Add a Novell AppArmor Profile icon. The Select a File to Generate Profile for window dis- plays. 3. From the Select a File to Generate Profile for window, browse your system to find the application for which you would like to create a profile.
  • Page 39 Novell AppArmor Profile Dialog window. 5. From the Novell AppArmor Profile Dialog window, You can Add, Edit or Delete Novell AppArmor profile entries by clicking the corre- s p o n d i n g b u t t o n s a n d r e f e r r i n g t o t h e f o l l o w i n g s e c t i o n s : “ Add Entry”...
  • Page 40 Add Entry When you click the Add Entry button, a pull-down list displays the types of entries for you to add to the Novell AppArmor profile. 1. From the pull-down list, select one of the following: • File: In the pop-up window, specify the absolute path of a file, including the type of access permitted.
  • Page 41 “ File Permission Access Modes” o n p a g e6 9 . • Capability: In the pop-up window, select the appropriate capabili- ties. These are statements that enable each of the 32 POSIX.1e capabilities. Refer to “ Breaking Down the Novell AppArmor Profile...
  • Page 42 • Include: In the pop-up window, browse to the files you would like to use as includes. Includes are directives that pull in components of other Novell AppArmor profiles to simplify profiles. For more infor- mation, refer to “ #include” o n p a g e1 9 .

  • Page 43: Managing Apparmor And Security Event Status

    Building Novell AppArmor Profiles With the YaST GUI Edit Entry When you highlight the Novell AppArmor profile entry and click the Edit Entry button, the file browser pop-up window displays. From here, you can edit the highlighted entry. In the pop-up window, specify the absolute path of a file, including the type of access permitted.
  • Page 44 • T o c h a n g e t h e s t a t u s o f N o v e l l A p p A r mo r , c l i c k t h e Configure but- t o n a n d r e f e r t o “ Change Novell AppArmor Status” o n p a g e4 5 . T h e enable Novell AppArmor screen displays.
  • Page 45 Security Event Notification screen displays. Change Novell AppArmor Status When you change the status of Novell AppArmor, you set it to enable or disable. When Novell AppArmor is enabled, it is installed, running and enforcing the Novell AppArmor security policies.

  • Page 46: Building Apparmor Profiles Using The Command-Line Interface

    You can detect which of the three states that the SubDomain module is in by inspecting /subdomain/profiles. If cat /subdomain/pro- files reports a list of profiles, then Novell AppArmor is running. If it is empty and returns nothing then SubDomain is stopped. If the file does not exist, then SubDomain is unloaded.
  • Page 47 Building Novell AppArmor Profiles Using the Com- lsmod, and rmmod, but this approach is not recommended. Rather, it is recommended that you manage Novell AppArmor through the script which can perform the following operations: /etc/init.d/subdomain /etc/init.d/subdomain start Has different behaviors depending on the SubDomain miodule state. If...

  • Page 48: Building Apparmor Profiles

    The following options contain detailed steps for build- ing profiles: • Add or Create Novell AppArmor Profiles: R e f e r t o “ Add or Create a Novell AppArmor Profile” o n p a g e4 9 •...

  • Page 49: Add Or Create A Apparmor Profile

    Building Novell AppArmor Profiles Using the Com- Add or Create a Novell AppArmor Profile To add or ceate a Novell AppArmor profile for an application, you can use a systemic or standalone profiling method, depending on your needs. Both methods are explained in detail here: •...

  • Page 50: Two Methods Of Profiling

    U s e r ’ s G u i d e 3. To go to the Novell AppArmor directory, type cd /etc/subdo- main.d/. 4. Type ls to view all the Novell AppArmor profiles that are currently installed. 5. Delete the profile exiting profile by typing rm profilename.

  • Page 51: Systemic Profiling

    Building a Novell AppArmor profile for a group of applications is as fol- lows: 1. Create profiles for the individual programs that make up your application.

  • Page 52: Summary Of Profiling Tools

    To assure that all profiles are taken out of complain mode and put into enforce mode, type: enforce /etc/subdomain.d/* 8. Re-scan all profiles. To have Novell AppArmor re-scan all of the profiles and change the enforcement mode in the kernel, type: /etc/init.d/subdomain restart...
  • Page 53 The resulting profile is called "approximate" because it does not necessarily contain all of the profile entries that the program needs to be properly confined by Novell AppArmor. The minimum autodep approximate profile will at least have a base include directive, which contains basic profile entries needed by most programs.
  • Page 54 . /-name '*foo*' -print. Complain or Learning Mode The complain or learning mode Novell AppArmor tool detects violations of SubDomain profile rules, such as the profiled program accessing files not permitted by the profile. The violations are permitted, but also logged.

  • Page 55: Enforce Mode

    AppArmor profile rules, such as the profiled program accessing files not permitted by the profile. The violations are logged and NOT permit- ted. Turn complain mode on when you want the Novell AppArmor pro- files to control the access of the program that is profiled. the default mode is for enforce mode to be turned on.
  • Page 56 It Autodeps the specified program, creating an approximate pro- file (if a profile doesn't already exist for it), sets it to complain mode, reloads it into Novell AppArmor, marks the syslog, and prompts the user to execute the program and exercise its functionality.
  • Page 57 • Select "F" from the genprof menu to exit. 5. If you selected "S" in the previous step and system events exist in the log, Novell AppArmor will parse the learning mode log files. This will generate a series of questions which you must answer to guide genprof in generating the security profile.
  • Page 58 U s e r ’ s G u i d e file (see Figure 1 below) • Or a program is executed by the profiled program and the security domain transition has not been defined (see Figure 2 below). Each of these cases results in a series of questions that you must answer to add the resource to the profile or to add the program into the profile.
  • Page 59 All of these options are not always presented in the Novell AppArmor menu. • #include: An include is the section of a Novell AppArmor profile that refers to an include file. Include files procure access permis- sions for programs. By using an include, you can give the program access to directory paths or files that are also required by other pro- g r a ms .
  • Page 60 6. Once you select the path name or #include, you can process it as an entry into the Novell AppArmor profile by clicking Allow or Deny. If you are not satisfied with the directory path entry as it is dis- played, you can also Glob or Edit it.
  • Page 61 To enable the syn- tax coloring, when you edit a Novell AppArmor profile in vim, use t h e c o mma n d “ :syntax on” a n d t h e n “ :set syntax=subdo- main”...
  • Page 62 In this example, the access to /etc/group is part of httpd2-pre- fork accessing nameservices. The appropriate response is 1, which pulls in a pre-defined set of Novell AppArmor rules. Selecting 1 to #include the nameservice package forestalls all of the future questions...
  • Page 63 If the expression you enter does not actually satisfy the event that prompted the question in the first place, Novell AppArmor will ask you for confirmation and let you re-enter the expression.
  • Page 64 SuSE LINUX Enterprise Server 9 serves FTP files from /srv/ftp. This is because httpd2-prefork uses chroot, and for the portion of the code inside the chroot jail, Novell AppArmor sees file accesses in terms of the chroot environment, rather than the global absolute path.
  • Page 65 MT A . • unconfined (ux): The child runs completely unconfined without any Novell AppArmor profile being applied to the executed resource. In this example, we are profiling the /usr/bin/mail mail client and logprof has discovered that /usr/bin/mail executes / u s r / b i n / l e s s a s a h e l p e r a p p l i c a t i o n t o “...
  • Page 66 “ U ” n c o n f i n e d . T h i s w r i t e s “ u x ” i n t o t h e p a r e n t p r o f i l e , s o that when the child runs, it runs without any Novell AppArmor profile being applied at all.
  • Page 67 Subdomain.vim A syntax coloring file for the vim text editor highlights various features of an Novell AppArmor profile with colors. Using vim and the Novell AppArmor syntax mode for vim, you can see the semantic implications of your profiles with color highlighting. Use vim to view and edit your profile by typing vim at a terminal window.
  • Page 68 Novell AppArmor profiles. unconfined requires root privi- lege, and that it not be confined by an Novell AppArmor profile. unconfined must be run as root to retrieve the process executable link from the proc filesystem.

  • Page 69: Path Names And Regular Expression Matching

    Path Names and Regular Expression Matching Path Names and Regular Expression Matching Regular Expression Matching, or Globbing, is when you modify the directory path using wildcards to include a group of files or subdirecto- ries. File resources may be specified with a globbing syntax similar to that used by popular shells, such as csh(1), bash(1), zsh(1).

  • Page 70: Read Mode

    Discrete Profile Execute Mode This mode requires that a discrete security profile is defined for a resource executed at a Novell AppArmor domain transition. If there is no profile defined then the access will be denied. Incompatible with Inherit and Unconstrained execute entries.

  • Page 71: Link Mode

    File Permission Access Modes sions of the current profile. This mode is infrequently used. Link Mode Allows the program to be able to create and remove a link with this name (including symlinks). When a link is created, the file that is being linked to MUST have the same access permissions as the link being created (with the exception that the destination does not have to have link access.) Link access is required for unlinking a file.

  • Page 72: Managing Profiled Applications

    Chapter 5 Managing Profiled Applications After creating profiles and Immunizing your applications, the SLES 9 system will be more efficient and better protected if you perform Novell AppArmor profile maintenance, which involves tracking common issues and concerns. You can deal with common issues and concerns...
  • Page 73 Setting Up Event Notification dhcp-101.up.wirex.com has had 10 security events since Tue Oct 12 11:10:00 2004 • Summary Notification: The Summary notification displays SubDo- main security events that are logged and lists the number of individ- ual occurrences, including the date of the last occurrence. For example: SubDomain: PERMITTING...

  • Page 74: Creating Reports

    You can also export an html or text file. 1. To run reports, open the YaST GUI and click Novell AppArmor. The Novell AppArmor interface displays. 2. From Novell AppArmor, click the Review SubDomain Security Events icon.
  • Page 75 Creating Reports range to narrow down the security events you would like to view. • Filter By Program Name: Enables you to narrow down events that only pertain to the program you specify. • Export Report: Enables you to export a CSV (comma separated values) or html file.

  • Page 76: Maintaining Your Security Profiles

    U s e r ’ s G u i d e 4. View the report data in the SubDomain Security Event Report win- dow. 5. Click the Done button to close the window. Note: You can also click the Back button if you want to re-run the report with new parameters or to export it after viewing it.

  • Page 77: Backing Up Your Security Profiles

    N o v e l l A p p A r mo r , r e f e r t o “...
  • Page 78 U s e r ’ s G u i d e “ Using the Add Profile Wizard” o n p a g e2 4 . • Run GenProf by typing genprof in a terminal while logged in as root. For detailed instructions, refer to “ Genprof” o n p a g e5 6 . If you intend to deploy a patch or upgrade directly into a production enviroment, the your best method for updating your profiles is to do one of the following:...

  • Page 79: Profiling Your Web Applications Using Changehat Apache

    This feature requires that each application be made "changehat aware" meaning that it is modified to make a request to the Novell AppArmor module to switch security domains at arbitrary times during the application execution.

  • Page 80: Tools For Managing Changehat Aware Applications

    Apache configuration file: LoadModule change_hat_module modules/mod_change_hat.so Tools for Managing ChangeHat Aware Applications As with most of the Novell AppArmor tools, you can use two methods for managing ChangeHat, the YaST GUI interface or the command-line interface. Managing ChangeHat-aware applications has much more f l e x i b i l i t y a t t h e c o mma n d - l i n e , b u t i t ’...
  • Page 81 /srv/www/htdocs/phpsysinfo-dev/ onto a clean (new) install of Novell AppArmor. 1. Once phpsysinfo-dev is installed, you are ready to add Hats to the Apache profile. From the Novell AppArmor GUI, select Add Pro- file Wizard. 2. In the Profile to Add field, enter httpd2-prefork.
  • Page 82 ’ s a c t i o n s w i l l b e a d d e d t o t h e n e w l y created hat rather than the default hat for this application. In the next screen, Novell AppArmor displays an external program that the script executed. You can specify that the program should...

  • Page 83: Phpsysinfo Hat (Subprofile)

    Apache ChangeHat Note: Selecting unconfined can make a significant security hole and should be done with caution. 9. Select inherit for the /bin/bash path. This will add /bin/bash/ (accessed by Apache), to the phpsysinfo-dev hat profile with the necessary permissions. 10.Click the Allow button.

  • Page 84: Adding Hats And Entries To Hats

    When you use the Edit Novell AppArmor Profile dialog (for instruc- t i o n s , r e f e r t o “ Editing a Novell AppArmor Profile” o n p a g e2 9 ) o r w h e n you add a new profile uising the Manually Add Novell AppArmor Profile ( f o r i n s t r u c t i o n s , r e f e r t o “...
  • Page 85 1. From the Novell AppArmor Profile Dialog window, click Add Entry, then select Hat.The Enter Hat Name dialog box displays: 2. Enter the name of the hat you would like to add to the Novell AppArmor profile. The name is the URI that, when accessed, will...

  • Page 86: Apache Configuration For Mod_Change_Hat

    U s e r ’ s G u i d e 3. Click the Create Hat button. You are returned to the Novell AppAr- mor Profile Dialog screen. 4. After adding the new Hat, click the Done button. F o r a n e x a mp l e o f a S u b D o ma i n p r o f i l e , r e f e r t o “ phpsysinfo Note: Hat (Subprofile)”...

  • Page 87: Vhosts Directives

    Apache Configuration for mod_change_hat vhosts Directives Vhosts directives control whether requests that contain trailing path- name information, following an actual filename (or non-existent file in an existing directory), will be accepted or rejected. For Apache docu- mentation on Virtual Host directives, refer to http://httpd.apache.org/docs-2.0/mod/core.html#vir- tualhost The change_hat specific configuration keyword is ImmDefaultHat-...
  • Page 88 (e.g. /foo/, /foo/bar, /foo/cgi/path/blah_blah/blah, etc.). The Directory Directive works similar to the Location Directive, except it refers to a pathname in the filesystem, as seen in the following exam- ple: Novell AppArmor <Directory "/srv/www/www. .com/docs"> # Note lack of trailing slash ImmHatName immunix.com...
  • Page 89 Apache Configuration for mod_change_hat 2. Create /etc/apache2/conf.d/sysinfo.conf and add the fol- lowing text to it: <Location "/sysinfo"> ImmHatName sysinfo </Location> The following hat should then work for phpsyinfo: ^sysinfo { #include <program-chunks/base-files> /bin/df /bin/bash /dev/tty /etc/SuSE-release /etc/fstab /etc/hosts /etc/mtab /proc/** /sbin/lspci /srv/www/htdocs/sysinfo/** /sys/bus/pci/devices...
  • Page 90 U s e r ’ s G u i d e 6. Track down configuration errors by going to the /var/log/syslog or running dmesg and looking for any rejections in the output.

  • Page 91: Support

    Linux kernel. When you update your Linux kernel, you also need to re-compile the SubDomain kernel module to again match your new kernel. The Novell AppArmor, powered by Immunix (Novell AppArmor) includes features to do this automatically, which we describe here.

  • Page 92: Using The Man Pages

    The section numbers are used to distinguish manual pages from each other; for example, exit(2) describes the exit system call, while exit(3) describes the exit C library function. The Novell AppArmor man pages are as follows: • unconfined.8 • autodep.1 •...

  • Page 93: Troubleshooting Solutions

    Troubleshooting Solutions • subdomain.conf.5 • subdomain.d.5 • subdomain.vim.5 • subdomain.7 • subdomain_parser.8 Troubleshooting Solutions SubDomain operation can generate various errors. Here is a list of possible errors and how to resolve them. If you run logprof as a non-root user such as bob you will likely see this error: bob@localhost:~>...

  • Page 94: Getting Online Support

    Subdomain parser error, line 2: Found unexpected character: Profile /etc/subdomain.d/usr.sbin.squid failed to load failed Getting Online Support You can visit our website at www.novell.com for information on our company and products. Using Mailing List Support We have a user driven mailing list at Novell AppArmor- users@mail.wirex.com.

  • Page 95: Glossary

    Using Mailing List Support Chapter 8 Glossary Apache: Apache is a freely available Unix-based Web server. It is cur- rently the most commonly used web server on the Internet. More infor- mation about Apache can be found at the Apache website, http://www.apache.org.
  • Page 96 U s e r ’ s G u i d e By not relying on attack signatures, SubDomain provides "pro-active" instead of "reactive" defense from attacks. This is better because there is no window of vulnerabilty where the attack signature has to be defined for SubDomain as it does for products using Attack Signatures to secure their networks.

Table of Contents