User manual NOVELL APPARMOR 2.1 ADMINISTRATION GUIDE
Lastmanuals offers a socially driven service of sharing, storing and searching manuals related to use of hardware and software : user guide, owner's manual, quick start guide, technical datasheets... DON'T FORGET : ALWAYS READ THE USER GUIDE BEFORE BUYING !!!
If this document matches the user guide, instructions manual or user manual, feature sets, schematics you are looking for, download it now. Lastmanuals provides you a fast and easy access to the user manual NOVELL APPARMOR 2.1. We hope that this NOVELL APPARMOR 2.1 user guide will be useful to you.
Lastmanuals help download the user guide NOVELL APPARMOR 2.1.
You may also download the following manuals related to this product:
NOVELL APPARMOR 2.1 QUICK GUIDE (219 ko)
Manual abstract: user guide NOVELL APPARMOR 2.1ADMINISTRATION GUIDE
Detailed instructions for use are in the User's Guide.
[. . . ] AppArmor
2. 1
September 27, 2007
www. novell. com Novell AppArmor Administration Guide
Novell AppArmor Administration Guide
Copyright © 2006-2007 Novell, Inc. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1. 2 or any later version published by the Free Software Foundation; with the Invariant Section being this copyright notice and license. A copy of the license is included in the section entitled "GNU Free Documentation License". SUSE®, openSUSE®, the openSUSE® logo, Novell®, the Novell® logo, the N® logo, are registered trademarks of Novell, Inc. [. . . ] In this example, the access to /etc/group is part of httpd2-prefork accessing name services. The appropriate response is 1, which includes a predefined set of AppArmor rules. Selecting 1 to #include the name service package resolves all of the future questions pertaining to DNS lookups and also makes the profile less brittle in that any changes to DNS configuration and the associated name service profile package can be made just once, rather than needing to revise many profiles.
Profile: /usr/sbin/httpd2-prefork Path: /etc/group New Mode: r [1 - #include <abstractions/nameservice>] 2 - /etc/group [(A)llow] / (D)eny / (N)ew / (G)lob / Glob w/(E)xt / Abo(r)t / (F)inish
Select one of the following responses:
Building Profiles from the Command Line
69
Select Enter Triggers the default action, which is, in this example, allowing access to the specified directory path entry. Allow Allows access to the specified directory path entries. AppArmor suggests file permission access. For more information about this, refer to Section 2. 1. 3, "File Permission Access Modes" (page 17). Deny Prevents the program from accessing the specified directory path entries. AppArmor then continues to the next event. New Prompts you to enter your own rule for this event, allowing you to specify whatever form of regular expression you want. If the expression entered does not actually satisfy the event that prompted the question in the first place, AppArmor asks for confirmation and lets you reenter the expression. Glob Select either a specific path or create a general rule using wild cards that matches on a broader set of paths. To select any of the offered paths, enter the number that is printed in front of the paths then decide how to proceed with the selected item. For more information about globbing syntax, refer to Section 2. 1. 2, "Paths and Globbing" (page 15). Glob w/Ext This modifies the original directory path while retaining the filename extension. For example, /etc/apache2/file. ext becomes /etc/apache2/*. ext, adding the wild card (asterisk) in place of the filename. This allows the program to access all files in the suggested directory that end with the . ext extension. Abort Aborts aa-logprof, losing all rule changes entered so far and leaving all profiles unmodified. Finish Closes aa-logprof, saving all rule changes entered so far and modifying all profiles.
70
Novell AppArmor Administration Guide
aa-logprof Example 2
For example, when profiling vsftpd, see this question:
Profile: /usr/sbin/vsftpd Path: /y2k. jpg New Mode: r [1 - /y2k. jpg] (A)llow / [(D)eny] / (N)ew / (G)lob / Glob w/(E)xt / Abo(r)t / (F)inish
Several items of interest appear in this question. First, note that vsftpd is asking for a path entry at the top of the tree, even though vsftpd on openSUSE serves FTP files from /srv/ftp by default. This is because httpd2-prefork uses chroot and, for the portion of the code inside the chroot jail, AppArmor sees file accesses in terms of the chroot environment rather than the global absolute path. The second item of interest is that you might want to grant FTP read access to all JPEG files in the directory, so you could use Glob w/Ext and use the suggested path of /*. jpg. Doing so collapses all previous rules granting access to individual . jpg files and forestalls any future questions pertaining to access to . jpg files. [. . . ] Intrusion detection systems might use attack signatures to distinguish between legitimate and potentially malicious activity. By not relying on attack signatures, Novell AppArmor provides "proactive" instead of "reactive" defense from attacks. This is better because there is no window of vulnerability where the attack signature must be defined for Novell AppArmor as it does for products using attack signatures to secure their networks. Refers to a software front-end meant to provide an attractive and easy-to-use interface between a computer user and application. [. . . ]
DISCLAIMER TO DOWNLOAD THE USER GUIDE NOVELL APPARMOR 2.1 Lastmanuals offers a socially driven service of sharing, storing and searching manuals related to use of hardware and software : user guide, owner's manual, quick start guide, technical datasheets... In any way can't Lastmanuals be held responsible if the document you are looking for is not available, incomplete, in a different language than yours, or if the model or language do not match the description. Lastmanuals, for instance, does not offer a translation service. Click on "Download the user manual" at the end of this Contract if you accept its terms, the downloading of the manual NOVELL APPARMOR 2.1 will begin.