Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual page 289

25.1.1 Managing ChangeHat-Aware
Applications
As with most of the Novell AppArmor tools, you can use two methods for managing
ChangeHat, YaST or the command line interface. Managing ChangeHat-aware applica-
tions from the command line is much more flexible, but the process is also more com-
plicated. Both methods allow you to manage the hats for your application and populate
them with profile entries.
The following steps are a demonstration that adds hats to an Apache profile using YaST.
In the Add Profile Wizard, the Novell AppArmor profiling utilities prompt you to create
new hats for distinct URI requests. Choosing to create a new hat allows you to create
individual profiles for each URI. You can create very tight rules for each request.
If the URI that is processed does not represent significant processing or otherwise does
not represent a significant security risk, safely select Use Default Hat to process this
URI in the default hat, which is the default security profile.
This example creates a new hat for the URI phpsysinfo and its subsequent accesses.
Using the profiling utilities, delegate what to add to this new hat. The resulting hat be-
comes a tight-security container that encompasses all the processing on the server that
occurs when the phpsysinfo URI is passed to the Apache Web server.
The URI runs the application phpsysinfo (refer to
.sourceforge.net
to be installed in /srv/www/htdocs/phpsysinfo in a clean (new) installation
of SUSE Linux Enterprise Desktop and AppArmor.
1 Once phpsysinfo is installed, you are ready to add hats to the Apache profile.
From the Novell AppArmor GUI, select Add Profile Wizard.
2 In Application to Profile, enter httpd2-prefork.
3 Click Create Profile.
for more information). The phpsysinfo package is assumed
Profiling Your Web Applications Using ChangeHat
http://phpsysinfo
277