Novell APPARMOR Admin Manual page 54

U s e r ' s G u i d e
and there are no other programs in that directory, then the simple com-
ma n d " autodep /path/to/your/programs/*" w i l l c r e a t e n o mi n a l
profiles for all programs in that directory.
using ps: You can run your application, and use the standard Linux ps
command to find all processes running. You then need to manually
hunt down the location of these programs, and run the autodep pro-
gram for each one. If the programs are in your path, then autodep will
find them for you. If they are not in your path then the standard Linux
command locate may be helpful in finding your programs. If locate
does not work (it is not a default program on ceretain systems), you
can try using find . /-name '*foo*' -print.
Complain or Learning Mode
The complain or learning mode Novell AppArmor tool detects violations
of SubDomain profile rules, such as the profiled program accessing
files not permitted by the profile. The violations are permitted, but also
logged. To improve the profile, turn complain mode on, run the pro-
gram through a suite of tests to generate log events that characterize
t h e p r o g r a m' s a c c e s s n e e d s , t h e n p o s t - p r o c e s s t h e l o g w i t h t h e N o v e l l
AppArmor tools to transform log events into improved profiles.
Manually activating complain mode (using the command line) adds a
f l a g t o t h e t o p o f t h e p r o f i l e s o t h a t " /bin/foo {" b e c o me s
" /bin/foo flags=(complain) {" . T o u s e c o mp l a i n mo d e , o p e n a
terminal window and type one of the following lines as a root user.
• If the example program (program1) is in your path, type:
complain [program1 program2 ...]
• If the program is not in your path, you should specify the entire path,
as follows:
complain /sbin/program1
• If the profiles are not in /etc/subdomain.d, type the following to
override the default location:
complain /path/to/profiles/ program1
• Alternately, you can specify the profile for program1, as follows:
54