Capability Entries (Posix.1E); Network Access Control - Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual
Hide thumbs
Also See for LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009:
- Administration manual (338 pages) ,
- Deployment manual (246 pages) ,
- Application manual (364 pages)
Table of Contents
Advertisement
21.3.3 Tunables
The tunables directory (/etc/apparmor.d/tunables) contains global variable
definitions. When used in a profile, these variables expand to a value that can be changed
without changing the entire profile. Add all the tunables definitions that should be
available to every profile to /etc/apparmor.d/tunables/global.
21.4 Capability Entries (POSIX.1e)
Capabilities statements are simply the word capability followed by the name of
the POSIX.1e capability as defined in the capabilities(7) man page.
21.5 Network Access Control
AppArmor allows mediation of network access based on the address type and family.
The following illustrates the network access rule syntax:
network [[<domain> ][<type >][<protocol >]]
Supported domains: inet, ax25, ipx, appletalk, netrom, bridge, x25,
inet6, rose, netbeui, security, key, packet, ash, econet, atmsvc,
sna, irda, pppox, wanpipe, bluetooth
Supported types: stream, dgram, seqpacket, rdm, raw, packet
Supported protocols: tcp, udp, icmp
The AppArmor tools support only family and type specification. The AppArmor module
emits only network domain type in "access denied" messages. And only these
are output by the profile generation tools, both YaST and command line.
The following examples illustrate possible network-related rules to be used in AppArmor
profiles. Note that the syntax of the last two are not currently supported by the AppArmor
tools.
Profile Components and Syntax
205
Advertisement
Table of Contents
