Table of Contents
Advertisement
Cron Jobs
Programs that the cron daemon periodically run read input from a variety of sources.
To find out which processes are currently running with open network ports and might
need a profile to confine them, run aa-unconfined as root.
Example 48.1 Output of aa-unconfined
19848 /usr/sbin/cupsd not confined
19887 /usr/sbin/sshd not confined
19947 /usr/lib/postfix/master not confined
29205 /usr/sbin/sshd confined by '/usr/sbin/sshd (enforce)'
Each of the processes in the above example labeled not confined might need a
custom profile to confine it. Those labeled confined by are already protected by
AppArmor.
TIP: For More Information
For more information about choosing the the right applications to profile, refer
to Section 1.2, "Determining Programs to Immunize" (Chapter 1, Immunizing
Programs, ↑Novell AppArmor Administration Guide).
48.3.2 Building and Modifying Profiles
Novell AppArmor on SUSE Linux Enterprise ships with a preconfigured set of profiles
for the most important applications. In addition to that, you can use AppArmor to create
your own profiles for any application you want.
There are two ways of managing profiles. One is to use the graphical front-end provided
by the YaST Novell AppArmor modules and the other is to use the command line tools
provided by the AppArmor suite itself. Both methods basically work the same way.
Running aa-unconfined as described in
Profile"
(page 872) identifies a list of applications that may need a profile to run in a
safe mode.
For each application, perform the following steps to create a profile:
Section 48.3.1, "Choosing the Applications to
Confining Privileges with AppArmor
873
Advertisement
Table of Contents
Troubleshooting
