Novell APPARMOR Admin Manual page 16

U s e r ' s G u i d e
Notes:
Requires root privilege, and should not itself be run from within a Novell
AppArmor profile.
unconfined does not distinguish between one network interface and
another, and so it will report all unconfined processes, even those that
may be listening to an internal LAN interface.
F i n d i n g u s e r n e t w o r k c l i e n t a p p l i c a t i o n s i s d e p e n d e n t o n y o u r u s e r ' s
preferences. The unconfined tool will detect and report network
ports opened by client applications, but only those client applications
that are running at the time the unconfined analysis is performed.
This is a problem because network services tend to be running all the
time, while network client applications tend to only be running when the
user is interested in them.
Applying Novell AppArmor profiles to user network client applications is
a l s o d e p e n d e n t o n u s e r ' s p r e f e r e n c e s , a n d i s i n t e n d e d f o r s e r v e r s
rather than workstations, and so we leave profiling of user network cli-
ent applications as an exercise for the user.
To aggressively confine desktop applications, the unconfined com-
mand supports a paranoid option, which will report all processes run-
ning and the corresponding AppArmor profiles that may or may not be
associated with each process. The unconfined user can then decide
whether each of these programs needs an AppArmor profile.
Additional profiles may be traded with other users and with the Novell
security development team on the user's mailing list at the following
URL:
Novell AppArmor
http://mail.wirex.com/mailman/listinfo/ -
users
16