User manual NOVELL APPARMOR 2.3.1 QUICK START

[. . . ] autodep creates a stub profile for the program or application examined. The resulting profile is called "approximate" because it does not necessarily contain all of the profile entries that the program needs to be confined properly. complain Set an AppArmor profile to complain mode. Manually activating complain mode (using the command line) adds a flag to the top of the profile so that /bin/foo becomes /bin/foo flags=(complain). [. . . ] By specifying origin and destination, the link pair rule provides greater control over how hard links are created. Link pair rules by default do not enforce the link subset permission test that the standard rules link permission requires. To force the rule to require the test the subset keyword is used. The following rules are equivalent: /link l, link subset /link -> /**, Local Variables Local variables are defined at the head of a profile. Use local variables to create shortcuts for paths, for example to provide the base for a chrooted path: @{CHROOT_BASE}=/tmp/foo /sbin/syslog-ng { . . . # chrooted applications @{CHROOT_BASE}/var/lib/*/dev/log w, @{CHROOT_BASE}/var/log/** w, . . . } Rules: Denying rules AppArmor provides deny rules which are standard rules but with the keyword deny prepended. They are used to remember known rejects, and quiet them so the reject messages don't fill up the log files. For more information see Part "Confining Privileges with Novell AppArmor" (Security Guide). Aliases Alias rules provide an alternative form of path rewriting to using variables, and are done post variable resolution: alias /home/ -> /mnt/users/ 3 Rules: Owner Conditional Rules The file rules can be extended so that they can be conditional upon the the user being the owner of the file. by prepending the keyword owner to the rule. Owner conditional rules accumulate just as regular file rules and are considered a subset of regular file rules. If a regular file rule overlaps with an owner conditional file rule, the resultant permissions will be that of the regular file rule. /some/random/example/* r Allow read access to files in the /some/random/ example directory. /some/random/example/ r Allow read access to the directory only. /some/**/ r Give read access to any directories below /some. /some/random/example/** r Give read access to files and directories under /some/ random/example. /some/random/example/**[^/] r Give read access to files under /some/random/ example. To spare users from specifying similar paths all over again, AppArmor supports basic globbing: Glob * ** ?[ abc ] [ a-c ] { ab, cd } [ ^a ] Description Substitutes for any number of characters, except /. Substitutes for any number of characters, including /. Substitutes for any single character, except /. Substitutes for the single character a, b, or c. Substitutes for the single character a, b, or c. [. . . ] That this manual, specifically for the printed format, is reproduced and/or distributed for noncommercial use only. The express authorization of Novell, Inc must be obtained prior to any other use of any manual or part thereof. For Novell trademarks, see the Novell Trademark and Service Mark list http://www. novell. com/company/ legal/trademarks/tmlist. html. Linux* is a registered trademark of Linus Torvalds. [. . . ]