Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual page 265

Step 3 (page 253)) and learn the access needs of the program so it runs properly.
With this information, you can decide how secure to make the profile.
Refer to Section "aa-complain—Entering Complain or Learning Mode"
for more detailed instructions for using learning or complain mode.
3 Exercise your application.
Run your application and exercise its functionality. How much to exercise the
program is up to you, but you need the program to access each file representing
its access needs. Because the execution is not being supervised by aa-genprof,
this step can go on for days or weeks and can span complete system reboots.
4 Analyze the log.
In systemic profiling, run aa-logprof directly instead of letting aa-genprof run it
(as in stand-alone profiling). The general form of aa-logprof is:
aa-logprof [ -d /path/to/profiles ] [ -f /path/to/logfile ]
Refer to Section "aa-logprof—Scanning the System Log"
information about using aa-logprof.
5 Repeat Step 3 (page 253) and
This generates optimum profiles. An iterative approach captures smaller data
sets that can be trained and reloaded into the policy engine. Subsequent iterations
generate fewer messages and run faster.
6 Edit the profiles.
You might want to review the profiles that have been generated. You can open
and edit the profiles in /etc/apparmor.d/ using vim.
7 Return to enforce mode.
This is when the system goes back to enforcing the rules of the profiles, not just
logging information. This can be done manually by removing the
flags=(complain) text from the profiles or automatically by using the
aa-enforce command, which works identically to the aa-complain com-
mand, except it sets the profiles to enforce mode. This functionality is also
Step 4 (page 253).
Building Profiles from the Command Line
(page 255)
(page 266) for more
253