Advertisement
Network Agents
Programs (servers and clients) have open network ports and network agents are
server programs that respond to those network ports. User clients (such as mail
clients and Web browsers) also have open network ports and mediate privilege.
Web Applications
CGI Perl scripts, PHP pages, and more complex Web applications can be invoked
through a Web browser.
Cron Jobs
Programs that the cron daemon periodically runs read input from a variety of
sources.
To find out which processes are currently running with open network ports and might
need a profile to confine them, run unconfined as root.
Example 4.1 Output of unconfined
19848 /usr/sbin/cupsd not confined
19887 /usr/sbin/sshd not confined
19947 /usr/lib/postfix/master not confined
29205 /usr/sbin/sshd confined by '/usr/sbin/sshd (enforce)'
Each of the processes in the above example labeled not confined might need a
custom profile to confine it. Those labeled confined by are already protected by
AppArmor.
TIP: For More Information
For more information about choosing the the right applications to profile, refer
to Chapter Selecting Programs to Immunize (↑Novell AppArmor Powered by
Immunix 1.2 Administration Guide).
4.2 Building and Modifying Profiles
Novell® AppArmor on SUSE Linux ships with a preconfigured set of profiles for the
most important applications. In addition to that, you can use AppArmor to create your
own profiles for a set of applications defined in /etc/apparmor/README
.profiles.
14
Advertisement
Need help?
Do you have a question about the APPARMOR 1.2 - QUICK GUIDE AND and is the answer not in the manual?