Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual page 270

it to complain mode, reloads it into AppArmor, marks the log, and prompts the user to
execute the program and exercise its functionality. Its syntax is as follows:
aa-genprof [ -d /path/to/profiles ]
To create a profile for the the Apache Web server program httpd2-prefork, do the fol-
lowing as root:
1 Enter rcapache2 stop.
2 Next, enter aa-genprof httpd2-prefork.
258 Security Guide
Now aa-genprof does the following:
1. Resolves the full path of httpd2-prefork using your shell's path variables.
You can also specify a full path. On SUSE Linux Enterprise Desktop, the
default full path is /usr/sbin/httpd2-prefork.
2. Checks to see if there is an existing profile for httpd2-prefork. If there is
one, it updates it. If not, it creates one using the aa-autodep as described in
Section 24.6.3, "Summary of Profiling Tools"
3. Puts the profile for this program into learning or complain mode so that
profile violations are logged but are permitted to proceed. A log event looks
like this (see /var/log/audit/audit.log):
type=APPARMOR_ALLOWED msg=audit(1189682639.184:20816):
operation="file_mmap" requested_mask="::r" denied_mask="::r" fsuid=30
name="/srv/www/htdocs/index.html" pid=27471
profile="null-complain-profile"
If you are not running the audit daemon, the AppArmor events are logged
to /var/log/messages:
Sep 13 13:20:30 K23 kernel: audit(1189682430.672:20810):
operation="file_mmap" requested_mask="::r" denied_mask="::r" fsuid=30
name="/srv/www/htdocs/phpsysinfo/templates/bulix/form.tpl" pid=30405
profile="/usr/sbin/httpd2-prefork///phpsysinfo/"
They also can be viewed using the dmesg command:
audit(1189682430.672:20810): operation="file_mmap"
requested_mask="::r" denied_mask="::r" fsuid=30
name="/srv/www/htdocs/phpsysinfo/templates/bulix/form.tpl" pid=30405
profile="/usr/sbin/httpd2-prefork///phpsysinfo/"
program
(page 254).