Novell APPARMOR Admin Manual page 65
Hide thumbs
Also See for APPARMOR:
- Quick start manual (5 pages) ,
- Installation & quick start manual (4 pages) ,
- Quick start card (7 pages)
Table of Contents
Advertisement
Two Methods of Profiling
Finally, you may want to grant more general access to FTP files. If you
s e l e c t " G " l o b l a s t e n t r y , t h e n logprof will replace the suggested path
of /y2k.jpg with /*. Or you may want to grant even more access to
t h e e n t i r e d i r e c t o r y t r e e , i n w h i c h c a s e y o u c o u l d u s e t h e " N " e w p a t h
o p t i o n , a n d e n t e r " /**.jpg" ( w h i c h w o u l d g r a n t a c c e s s t o a l l . j p g f i l e s
i n t h e e n t i r e d i r e c t o r y t r e e ) o r " /**" ( w h i c h w o u l d j u s t g r a n t a c c e s s t o
all files in the directory tree).
The above deal with read accesses. Write accesses are similar,
except that it is good policy to be more conservative in your use of reg-
ular expressions for write accesses.
Dealing with execute accesses is more complex. You must decide
which of the three kinds of execute permissions you intend to grant:
• inherit (ix): T h e c h i l d i n h e r i t s t h e p a r e n t ' s p r o f i l e , i . e . r u n s w i t h t h e
same access controls as the parent. This mode is useful when a con-
fined program needs to call another confined program without gain-
ing the permissions of the target's profile, or losing the permissions of
the current profile. This mode is often used when the child program is
a " h e l p e r a p p l i c a t i o n " , s u c h a s t h e /usr/bin/mail client using the
less program as a pager, or the Mozilla web browser using the
acrobat program to display PDF files.
• profile (px): The child runs using its own profile, which must be
loaded into the kernel. If the profile is not present, then attempts to
execute the child will fail with permission denied. This is most useful
if the parent program is invoking a global service, such as DNS look-
u p s o r s e n d i n g ma i l v i a y o u r s y s t e m' s MT A .
• unconfined (ux): The child runs completely unconfined without
any Novell AppArmor profile being applied to the executed resource.
In this example, we are profiling the /usr/bin/mail mail client
and logprof has discovered that /usr/bin/mail executes
/ u s r / b i n / l e s s a s a h e l p e r a p p l i c a t i o n t o " p a g e " l o n g ma i l me s s a g e s , a n d
presents us with this prompt:
/usr/bin/nail -> /usr/bin/less
(I)nherit / (P)rofile / (U)nconstrained / (D)eny
1. The actual executable file for /usr/bin/mail turns out to be /usr/bin/nail which is
not a typographical error.
1
65
Advertisement
Table of Contents
Related Manuals for Novell APPARMOR
Related Products for Novell APPARMOR
- NOVELL ACCESS MANAGER 3.1 SP1 - S 11-20-2009
- NOVELL ACCESS MANAGER 3.1 SP1 - SSL VPN SERVER GUIDE 03-17-2010
- NOVELL ACCESS MANAGER 3.1 SP2 - J2EE AGENT GUIDE 2010
- NOVELL ACCESS MANAGER 3.1 SP2 - README 2010
- NOVELL ACCESS MANAGER 3.1 SP2 - SSL VPN USER GUIDE 2010
- Novell Access Manager 3.1 SP2 Beta 1
- NOVELL ACCESS MANAGER 3.1 SP2 BETA 1 - SCENARIOS 2009
- NOVELL ADMINSTUDIO 9.5