Novell APPARMOR Admin Manual page 66
Hide thumbs
Also See for APPARMOR:
- Quick start manual (5 pages) ,
- Installation & quick start manual (4 pages) ,
- Quick start card (7 pages)
Table of Contents
Advertisement
U s e r ' s G u i d e
The program /usr/bin/less appears to be a simple one for scroll-
ing through text that is more than one screen long, and that is in fact
what /usr/bin/mail is using it for. However, less is actually a
large and powerful program that makes use of many other helper appli-
cations, such as tar and rpm.
We notably do not want to automatically invoke rpm when reading mail
messages (that leads directly to a Microsoft Outlook style virus attack,
because rpm needs the power to install and modify system programs)
a n d s o i n t h i s c a s e t h e b e s t c h o i c e i s t o u s e " I " n h e r i t . T h i s w i l l r e s u l t i n
the less program executed from this context running under the profile
for /usr/bin/mail. This has two consequences:
• We will need to add all of the basic file accesses for /usr/bin/less
to the profile for /usr/bin/mail.
• We can avoid adding the helper applications such as tar and
rpm to the /usr/bin/mail profile, so that when
/usr/bin/mail runs /usr/bin/mail/less in this context,
the less program is far less dangerous than it would be without
Novell AppArmor protection.
I n o t h e r c i r c u ms t a n c e s , w e ma y i n s t e a d w a n t t o u s e t h e " P " r o f i l e
option. This has two effects on logprof:
• The rule written into the profile is px, which forces the transition
t o t h e c h i l d ' s o w n p r o f i l e .
• logprof constructs a profile for the child and starts building it,
in the same way that it built the parent profile, by ascribing
e v e n t s f o r t h e c h i l d p r o c e s s t o t h e c h i l d ' s p r o f i l e a n d a s k i n g t h e
logprof user questions as above.
Finally, we might want to grant the child process very powerful access
b y s p e c i f y i n g " U " n c o n f i n e d . T h i s w r i t e s " u x " i n t o t h e p a r e n t p r o f i l e , s o
that when the child runs, it runs without any Novell AppArmor profile
being applied at all. This means running with no protection, and should
only be used when absolutely required.
1. Run less on a tar ball or an rpm file and it will show you the inventory of these containers.
66
1
Advertisement
Table of Contents
Related Manuals for Novell APPARMOR
Related Products for Novell APPARMOR
- NOVELL ACCESS MANAGER 3.1 SP1 - S 11-20-2009
- NOVELL ACCESS MANAGER 3.1 SP1 - SSL VPN SERVER GUIDE 03-17-2010
- NOVELL ACCESS MANAGER 3.1 SP2 - J2EE AGENT GUIDE 2010
- NOVELL ACCESS MANAGER 3.1 SP2 - README 2010
- NOVELL ACCESS MANAGER 3.1 SP2 - SSL VPN USER GUIDE 2010
- Novell Access Manager 3.1 SP2 Beta 1
- NOVELL ACCESS MANAGER 3.1 SP2 BETA 1 - SCENARIOS 2009
- NOVELL ADMINSTUDIO 9.5