The rest of this chapter describes using change_hat in conjunction with Apache, to
contain web server components run using mod_perl and mod_php. Similar approaches
can be used with any application server by providing an application module similar to
the mod_apparmor described next in
(page 283).
NOTE: For More Information
For more information, see the change_hat man page.
25.1 Apache ChangeHat
Novell AppArmor provides a mod_apparmor module (package
apache2-mod-apparmor) for the Apache program (only included in SUSE Linux
Enterprise Server). This module makes the Apache Web server ChangeHat aware. Install
it along with Apache.
When Apache is ChangeHat aware, it checks for the following customized Novell
AppArmor security profiles in the order given for every URI request that it receives.
• URI-specific hat (for example, ^phpsysinfo/templates/classic/
images/bar_left.gif)
• DEFAULT_URI
• HANDLING_UNTRUSTED_INPUT
NOTE: Apache Configuration
If you install apache2-mod-apparmor, make sure the module gets loaded
in Apache by executing the following command:
a2enmod apparmor
276
Security Guide
Section 25.2.2, "Location and Directory Directives"