Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual page 207

Profiling Web applications that use mod_perl and mod_php requires slightly different
handling. In this case, the "program" is a script interpreted directly by the module
within the Apache process, so no exec happens. Instead, the Novell AppArmor version
of Apache calls change_hat() using a subprofile (a "hat") corresponding to the
name of the URI requested.
NOTE
The name presented for the script to execute might not be the URI, depending
on how Apache has been configured for where to look for module scripts. If
you have configured your Apache to place scripts in a different place, the dif-
ferent names appear in log file when Novell AppArmor complains about access
violations. See Chapter 27, Managing Profiled Applications
For mod_perl and mod_php scripts, this is the name of the Perl script or the PHP
page requested. For example, adding this subprofile allows the localtime.php page
to execute and access the local system time:
/usr/bin/httpd2-prefork {
# ...
^/cgi-bin/localtime.php {
/etc/localtime
/srv/www/cgi-bin/localtime.php
/usr/lib/locale/**
}
}
If no subprofile has been defined, the Novell AppArmor version of Apache applies the
DEFAULT_URI hat. This subprofile is basically sufficient to display an HTML Web
page. The DEFAULT_URI hat that Novell AppArmor provides by default is the follow-
ing:
^DEFAULT_URI {
/usr/sbin/suexec2
/var/log/apache2/**
@{HOME}/public_html
@{HOME}/public_html/**
/srv/www/htdocs
/srv/www/htdocs/**
/srv/www/icons/*.{gif,jpg,png}
/srv/www/vhosts
/srv/www/vhosts/**
/usr/share/apache2/**
/var/lib/php/sess_*
r,
r,
r,
mixr,
rwl,
r,
r,
r,
r,
r,
r,
r,
r,
rwl }
(page 289).
Immunizing Programs 195