Support - Novell APPARMOR Admin Manual

Updating Novell AppArmor Online
Chapter 7 Support
Updating Novell AppArmor Online
SuSE LINUX Enterprise Server 9 (SLES 9) provides a continuous
stream of updates for SLES 9 through the YOU agent, and from time
to time those updates include revisions to the Linux kernel. When you
update your Linux kernel, you also need to re-compile the SubDomain
kernel module to again match your new kernel. The Novell AppArmor,
powered by Immunix (Novell AppArmor) includes features to do this
automatically, which we describe here.
When Novell AppArmor is installed, it includes RPM triggers so that
when the kernel is updated, RPM events fire that cause the SubDo-
main kernel module to be re-compiled. In most cases, this re-compiling
of the SubDomain kernel module should happen quickly and silently,
and you may not even notice it.
However, this re-compilation can fail for a variety of reasons, including
not having all of the required devtools packages installed, having a
Linux kernel source tree that does not match your running kernel, and
not having a Linux kernel source tree at all.
To defend against such failure possibilities, SubDomain is configurable
with respect to what you would like to do on boot if SubDomain fails to
load:
Warn: Logs a warning message and proceeds to boot. This provides
maximum availability, in that your computer boots and runs normally,
but also may cause security vulnerabilities, because your machine is
now running without SubDomain protection. This is the default behav-
ior.
Build: Attempt to build a module that is compatible with the running
kernel. If successful, then SubDomain will be loaded and run normally.
If the compile is not successful, an error message is logged as in the
Warn case.
Panic: If the SubDomain module fails to load, then a failure message
is logged and the machine drops to single-user mode. This compro-
mises availability, but preserves security, in that the machine will
91