Enforce Mode - Novell APPARMOR Admin Manual

Two Methods of Profiling
complain /etc/subdomain.d/sbin.
Each of the above commands will activate complain mode for the pro-
files/programs listed. The command can either list programs or pro-
files. If the program name does not include its entire path, then
complain s e a r c h e s $ P A T H f o r t h e p r o g r a m. S o f o r i n s t a n c e " com-
plain /usr/sbin/*" w i l l f i n d p r o f i l e s a s s o c i a t e d w i t h a l l o f t h e p r o -
grams in /usr/sbin and put them into complain mode, and
" complain /etc/subdomain.d/*" w i l l p u t a l l o f t h e p r o f i l e s i n
/etc/subdomain.d into complain mode.

Enforce Mode

The enforce mode Novell AppArmor tool detects violations of Novell
AppArmor profile rules, such as the profiled program accessing files
not permitted by the profile. The violations are logged and NOT permit-
ted. Turn complain mode on when you want the Novell AppArmor pro-
files to control the access of the program that is profiled. the default
mode is for enforce mode to be turned on. enforce toggles with com-
plain mode.
Manually activating enforce mode (using the command line) adds a
f l a g t o t h e t o p o f t h e p r o f i l e s o t h a t " /bin/foo {" b e c o me s
" /bin/foo flags=(enforce) {" . T o u s e c o mp l a i n mo d e , o p e n a
terminal window and type one of the following lines as a root user.
• If the example program (program1) is in your path, type:
enforce [program1 program2 ...]
• If the program is not in your path, you should specify the entire
path, as follows:
enforce /sbin/program1
• If the profiles are not in /etc/subdomain.d, type the following to
override the default location:
enforce /path/to/profiles/ program1
• Alternately, you can specify the profile for program1, as follows:
program1
55