Novell APPARMOR Admin Manual page 57

Two Methods of Profiling
" Summary of Profiling Tools" o n p a g e5 2 . Note: there is a nam-
ing convention relating the full path of a program to its profile file
name so that the various Novell AppArmor profiling tools can
consistently manipulate them. The convention is to replace /
with . so that the profile for /usr/sbin/httpd2-prefork is
stored in
/etc/subdomain.d/usr.sbin.httpd2-prefork
• P u t t h e p r o f i l e f o r t h i s p r o g r a m i n t o " l e a r n i n g " o r " c o mp l a i n " mo d e
so that profile violations are logged, but are permitted to pro-
ceed. A log event looks like this:
Oct 9 15:40:31 SubDomain: PERMITTING r access to
/etc/apache2/httpd.conf (httpd2-prefork(6068) profile
/usr/sbin/httpd2-prefork active /usr/sbin/httpd2-prefork)
• Mark syslog with a beginning marker of log events to consider.
3. The tool prompts you to run the application to be profiled in another
terminal window. Perform as many of the application functions as
possible so learning mode can log the files and directories the pro-
gram requires access to in order to function properly. For example,
in a new terminal window type /etc/init.d/apache2 start
4. You are given the following menu choices which can be used after
you have executed the program functionality:
• Select "S" from the genprof menu to run logprof against
the system log from where it was marked when genprof was
started, and reloads the profile.
• Select "F" from the genprof menu to exit.
5. If you selected "S" in the previous step and system events exist in
the log, Novell AppArmor will parse the learning mode log files.
This will generate a series of questions which you must answer to
guide genprof in generating the security profile.
I f r e q u e s t s t o a d d h a t s a p p e a r , p r o c e e d t o " What is Change-
Note:
Hat?" o n p a g e7 9 .
The questions will fall into two categories:
• A resource is requested by a profiled program that is not in the pro-
57