1. Manuals
  2. Brands
  3. Novell Manuals
  4. Software
  5. APPARMOR 2.1 -
  6. Quick start manual

Novell APPARMOR 2.1 Quick Start Manual

Hide thumbs Also See for APPARMOR 2.1:
1
2
3
4
5
6
7

Advertisement

Table of Contents

See also: Administration Manual
Novell AppArmor (2.1)
Quick Start
This document helps you understand the main concepts behind Novell® AppArmor—the content of AppArmor
profiles. Learn how to create or modify AppArmor profiles. You can create and manage AppArmor profiles in
three different ways. The most convenient interface to AppArmor is provided by means of the AppArmor YaST
modules which can be used either in graphical or ncurses mode. The same functionality is provided by the
AppArmor command line tools or if you just edit the profiles in a text editor.
AppArmor Modes
complain/learning
In complain or learning mode, violations of AppArmor
profile rules, such as the profiled program accessing files
not permitted by the profile, are detected. The violations
are permitted, but also logged. This mode is convenient
for developing profiles and is used by the AppArmor
tools for generating profiles.
enforce
Loading a profile in enforcement mode enforces the
policy defined in the profile as well as reports policy vi-
olation attempts to syslogd.
Starting and Stopping AppArmor
Use the rcapparmor command with one of the following
parameters:
start
Load the kernel module, mount securityfs, parse and
load profiles. Profiles and confinement are applied to
any application started after this command was executed.
Processes already running at the time AppArmor is
started continue to run unconfined.
stop
Unmount securityfs, and invalidate profiles.
reload
Reload profiles.
status
If AppArmor is enabled, output how many profiles are
loaded in complain or enforce mode.
Use the rcaaeventd command to control event logging
with aa-eventd. Use the start and stop options to toggle
the status of the aa-eventd and check its status using the
status.
AppArmor Command Line Tools
autodep
Guess basic AppArmor profile requirements. autodep
creates a stub profile for the program or application
examined. The resulting profile is called "approximate"
because it does not necessarily contain all of the profile
entries that the program needs to be confined properly.
complain
Set an AppArmor profile to complain mode.
Manually activating complain mode (using the command
line) adds a flag to the top of the profile so that
/bin/foo becomes /bin/foo flags=(complain).
enforce
Set an AppArmor profile to enforce mode from complain
mode.
1
NOVELL® QUICK START CARD

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the APPARMOR 2.1 and is the answer not in the manual?

Questions and answers

Related Manuals for Novell APPARMOR 2.1

Summary of Contents for Novell APPARMOR 2.1

  • Page 1 Quick Start NOVELL® QUICK START CARD This document helps you understand the main concepts behind Novell® AppArmor—the content of AppArmor profiles. Learn how to create or modify AppArmor profiles. You can create and manage AppArmor profiles in three different ways. The most convenient interface to AppArmor is provided by means of the AppArmor YaST modules which can be used either in graphical or ncurses mode.

  • Page 2: Learning Mode

    Manually activiating enforce mode (using the command Edit line) removes mode flags from the top of the profile Enable editing of the highlighted line. The new (edited) /bin/foo flags=(complain) becomes /bin/foo. line appears at the bottom of the list. This option is called New in the logprof and genprof command line tools.

  • Page 3: Capability Entries (Posix.1E)

    The example would allow IPv4 network access of the data- Rules: Defining Execute Permissions gram and raw type for the ping command. For details on the network rule syntax, refer to the Novell AppArmor Ad- For executables that may be called from the confined pro- ministration Guide.

  • Page 4: Logging And Auditing

    /etc/audit/auditd.conf to apparmor-dbus and behavior of the profiled applications. In this case, restart auditd: update your profiles as outlined in the Troubleshoot- ing section of the Novell AppArmor Administration dispatcher=/usr/bin/apparmor-dbus Guide. Once the dbus dispatcher is configured correctly, add the Hats AppArmor Desktop Monitor to the GNOME panel.

  • Page 5: Legal Notice

    Novell® logo, the N® logo, are registered trademarks of AppArmor. Find more information on the concept and the Novell, Inc. in the United States and other countries. Linux* configuration of AppArmor in the Novell AppArmor Admin- is a registered trademark of Linus Torvalds. All third-party istration Guide.
  • Page 6 GNU Free Documentation License COPYING IN QUANTITY If you publish printed copies (or copies in media that commonly have printed covers) of the Document, numbering more than 100, and the Document’s license notice requires Cover Texts, you must enclose Version 1.2, November 2002 the copies in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover Texts on the front Copyright (C) 2000,2001,2002 Free Software Foundation, Inc.
  • Page 7 If a section in the Document is Entitled “Acknowledgements”, “Dedications”, or “History”, the requirement COMBINING DOCUMENTS (section 4) to Preserve its Title (section 1) will typically require changing the actual title. You may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of TERMINATION the Invariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections...

Table of Contents