Novell APPARMOR Admin Manual page 13
Hide thumbs
Also See for APPARMOR:
- Quick start manual (5 pages) ,
- Installation & quick start manual (4 pages) ,
- Quick start card (7 pages)
Table of Contents
Advertisement
How To Immunize With Novell AppArmor
each of these programs. For instance, adding the line
" /srv/www/cgi-bin/my_hit_counter.pl rpx," w o u l d g r a n t
Apache permission to execute the PERL script my_hit_counter.pl
and require that there be a dedicated profile for
my_hit_counter.pl. If my_hit_counter.pl does not have a
dedicated profile associated with it, then the rule should say
" /srv/www/cgi-bin/my_hit_counter.pl rix," t o c a u s e
my_hit_counter.pl to inherit the usr.sbin.httpd2-prefork
profile.
Some users may find it inconvenient to specify execute permission for
every CGI script that Apache may invoke. Instead, the administrator
can grant controlled access to collections of CGI scripts. For instance,
a d d i n g t h e l i n e " /srv/www/cgi-bin/*.{pl,py,pyc} rix," w i l l
allow Apache to execute all files in /srv/www/cgi-bin/ ending in
.pl (PERL scripts) or .py or .pyc (Python scripts). As above, the
" ix" p a r t o f t h e r u l e c a u s e s t h e P y t h o n s c r i p t s t o i n h e r i t t h e A p a c h e
profile, which is appropriate if you do not want to write individual pro-
files for each Python script.
Note:
If you want the Sub-process confinement module
(mod_change_hat) functionality when web applications handle
Apache modules, (mod_perl and mod_php), insert the Novell AppAr-
mor sub-process confinement module into the Apache web server.
The Novell AppArmor installer installs this modified Apache web
server along with change_hat. Novell AppArmor for Apache is pro-
vided by the mod_change_hat Apache module. To take advantage
o f t h e s u b - p r o c e s s c o n f i n e me n t , r e f e r t o " Apache ChangeHat" o n
page 79.
Profiling web applications that use mod_perl and mod_php require
s l i g h t l y d i f f e r e n t h a n d l i n g . I n t h i s c a s e , t h e " p r o g r a m" i s a s c r i p t i n t e r -
preted directly by the module within the Apache process, so no exec
happens. Instead, the Novell AppArmor version of Apache calls
change_hat() n a mi n g a s u b p r o f i l e ( a " h a t " ) c o r r e s p o n d i n g t o t h e
1
name of the URI being requested.
For mod_perl and mod_php
scripts, this will be the name of the PERL script or the PHP page
requested. So for example, adding this subprofile to foo will allow the
13
Advertisement
Table of Contents
Related Manuals for Novell APPARMOR
Related Products for Novell APPARMOR
- NOVELL ACCESS MANAGER 3.1 SP1 - S 11-20-2009
- NOVELL ACCESS MANAGER 3.1 SP1 - SSL VPN SERVER GUIDE 03-17-2010
- NOVELL ACCESS MANAGER 3.1 SP2 - J2EE AGENT GUIDE 2010
- NOVELL ACCESS MANAGER 3.1 SP2 - README 2010
- NOVELL ACCESS MANAGER 3.1 SP2 - SSL VPN USER GUIDE 2010
- Novell Access Manager 3.1 SP2 Beta 1
- NOVELL ACCESS MANAGER 3.1 SP2 BETA 1 - SCENARIOS 2009
- NOVELL ADMINSTUDIO 9.5