Novell LINUX ENTERPRISE SERVER 10 - INSTALLATION AND ADMINISTRATION 04-08-2006 Installation Manual page 884

For each application, perform the following steps to create a profile:
1 As root, let AppArmor create a rough outline of the application's profile by
2 Run the full range of the application's actions to let AppArmor get a very specific
3 Let AppArmor analyze the log files generated in
4 Once all access permissions are set, your profile is set to enforce mode. The
884 Installation and Administration
running aa-genprof programname
or
Outline the basic profile by running YaST → Novell AppArmor → Add Profile
Wizard and specifying the complete path of the application to profile.
A basic profile is outlined and AppArmor is put into learning mode, which means
that it logs any activity of the program you are executing but does not yet restrict
it.
picture of its activities.
typing in aa-genprof.
S
or
Analyze the logs by clicking Scan system log for AppArmor events in the Add
Profile Wizard and following the instructions given in the wizard until the profile
is completed.
AppArmor scans the logs it recorded during the application's run and asks you
to set the access rights for each event that was logged. Either set them for each
file or use globbing.
profile is applied and AppArmor restricts the application according to the profile
just created.
If you started aa-genprof on an application that had an existing profile that was
in complain mode, this profile remains in learning mode upon exit of this learning
cycle. For more information about changing the mode of a profile, refer to Section
"aa-complain—Entering Complain or Learning Mode" (Chapter 3, Building
Novell AppArmor Profiles, ↑Novell AppArmor 2.0 Administration Guide) and
Section "aa-enforce—Entering Enforce Mode" (Chapter 3, Building Novell
AppArmor Profiles, ↑Novell AppArmor 2.0 Administration Guide).
Step 2 (page 884) by running