Chapter 7. Support

Contents

7.1. Updating Novell AppArmor Online
7.2. Using the Man Pages
7.3. For More Information
7.4. Troubleshooting
7.5. Reporting Bugs for AppArmor

This chapter outlines maintenance-related tasks. Learn how to update Novell® AppArmor and get a list of available man pages providing basic help for using the command line tools provided by Novell AppArmor. Use the troubleshooting section to learn about some common problems encountered with Novell AppArmor and their solutions. Report defects or enhancement requests for Novell AppArmor following the instructions in this chapter.

7.1. Updating Novell AppArmor Online

Updates for Novell AppArmor packages are provided in the same way as any other update for SUSE Linux Enterprise. Retrieve and apply them exactly like for any other package that ships as part of SUSE Linux Enterprise.

7.2. Using the Man Pages

There are man pages available for your use. In a terminal, enter man apparmor to open the apparmor man page. Man pages are distributed in sections numbered 1 through 8. Each section is specific to a category of documentation:

Table 7.1. Man Pages: Sections and Categories

Section

Category

1

User commands

2

System calls

3

Library functions

4

Device driver information

5

Configuration file formats

6

Games

7

High level concepts

8

Administrator commands


The section numbers are used to distinguish man pages from each other. For example, exit(2) describes the exit system call, while exit(3) describes the exit C library function.

The Novell AppArmor man pages are:

  • unconfined(8)

  • autodep(1)

  • complain(1)

  • enforce(1)

  • genprof(1)

  • logprof(1)

  • change_hat(2)

  • logprof.conf(5)

  • apparmor.conf(5)

  • apparmor.d(5)

  • apparmor.vim(5)

  • apparmor(7)

  • apparmor_parser(8)

7.3. For More Information

Find more information about the AppArmor product on the Novell AppArmor product page at Novell: http://www.novell.com/products/apparmor/. Find the product documentation for Novell AppArmor, including this document, at http://www.novell.com/documentation/apparmor/ or in the installed system in /usr/share/doc/manual.

There are specific mailing lists for AppArmor that users can post to or join to communicate with developers.

apparmor-general@forge.novell.com

This is a mailing list for end users of AppArmor. It is a good place for questions about how to use AppArmor to protect your applications.

apparmor-dev@forge.novell.com

This is a developer mailing list for AppArmor developers and community members. This list is for questions about development of core AppArmor features—the kernel module and the profiling tools. If you are interested in reviewing the code for AppArmor and contributing reviews or patches, this would be the list for you.

apparmor-announce@forge.novell.com

This is a low traffic list announcing the availability of new releases or features.

7.4. Troubleshooting

This section lists the most common problems and error messages that may occur using Novell AppArmor.

7.4.1. How to React to odd Application Behavior?

If you notice odd application behavior or any other type of application problem, you should first check the reject messages in the log files to see if AppArmor is too closely constricting your application. To check reject messages, start YaST+Novell AppArmor and go to AppArmor Reports. Select View Archive and App Aud for the application audit report. You can filter dates and times to narrow down the specific periods when the unexpected application behavior occurred.

If you detect reject messages that indicate that your application or service is too closely restricted by AppArmor, update your profile to properly handle your use case of the application. Do this with the Update Profile Profile Wizard in YaST, as described in Section 3.5, “Updating Profiles from Log Entries”.

If you decide to run your application or service without AppArmor protection, remove the application's profile from /etc/apparmor.d or move it to another location.

7.4.2. How to Resolve Issues with Apache?

Apache is not starting properly or it is not serving Web pages and you just installed a new module or made a configuration change. When you install additional Apache modules (like apache2-mod_apparmor) or make configuration changes to Apache, you should profile Apache again to catch any additional rules that need to be added to the profile.

7.4.3. Why are the Reports not Sent by E-Mail?

When the reporting feature generates an HTML or CSV file that exceeds the default size, the file is not sent. Mail servers have a default, hard limit for e-mail size. This limitation can impede AppArmor's ability to send e-mails that are generated for reporting purposes. If your mail is not arriving, this could be why. Consider the mail size limits and check the archives if e-mails have not been received.

7.4.4. How to Exclude Certain Profiles from the List of Profiles Used?

AppArmor always loads and applies all profiles that are available in its profile directory (/etc/apparmor.d/). If you decide not to apply a profile to a certain application, delete the appropriate profile or move it to another location where AppArmor would not check for it.

7.4.5. Can I Manage Profiles for Applications not Installed on my System?

Managing profiles with AppArmor requires you to have access to a the system's log the application is running on. So you do not need to run the application on your profile build host as long as you have access to the machine that runs the application. You can run the application on one system, transfer the logs (/var/log/audit.log or, if audit is not installed, /var/log/messages) to your profile build host and run aa-logprof -f path_to_logfile.

7.4.6. How to Spot and fix AppArmor Syntax Errors?

Manually editing Novell AppArmor profiles can introduce syntax errors. If you attempt to start or restart AppArmor with syntax errors in your profiles, error results are shown. This example shows the syntax of the entire parser error.

localhost:~ # rcapparmor start
Loading AppArmor profiles
AppArmor parser error, line 2: Found unexpected character: ’h’
Profile /etc/apparmor.d/usr.sbin.squid failed to load
failed

Using the AppArmor YaST tools, a graphical error message indicates which profile contained the error and requests you to fix it.

To fix a syntax error, log in to a terminal window as root, open the profile, and correct the syntax. Reload the profile set with rcapparmor reload.

7.5. Reporting Bugs for AppArmor

The developers of AppArmor are eager to deliver products of the highest quality. Your feedback and your bug reports help us keep the quality high. Whenever you encounter a bug in AppArmor, file a bug report against this product:

  1. Use your Web browser to go to https://bugzilla.novell.com/index.cgi.

  2. Enter the account data of your Novell account and click Login

    or

    Create a new Novell account as follows:

    1. Click Create New Account on the Login to Continue page.

    2. Provide a username and password and additional address data and click Create Login to immediately proceed with the login creation.

      or

      Provide data on which other Novell accounts you maintain to sync all these to one account.

  3. Check whether a problem similar to yours has already been reported by clicking Search Reports. Use a quick search against a given product and keyword or use the Advanced Search.

  4. If your problem has already been reported, check this bug report and add extra information to it, if necessary.

  5. If your problem has not been reported yet, select New from the top navigation bar and proceed to the Enter Bug page.

  6. Select the product against which to file the bug. In your case, this would be your product's release. Click Submit.

  7. Select the product version, component (AppArmor in this case), hardware platform, and severity.

  8. Enter a brief headline describing your problem and add a more elaborate description including log files. You may create attachments to your bug report for screen shots, log files, or test cases.

  9. Click Submit after you have entered all the details to send your report to the developers.