Novell AppArmor

Administration Guide

Publication Date 04 Feb 2011

All content is copyright © Novell, Inc.

Legal Notice

This manual is protected under Novell intellectual property rights. By reproducing, duplicating or distributing this manual you explicitly agree to conform to the terms and conditions of this license agreement.

This manual may be freely reproduced, duplicated and distributed either as such or as part of a bundled package in electronic and/or printed format, provided however that the following conditions are fulfilled:

That this copyright notice and the names of authors and contributors appear clearly and distinctively on all reproduced, duplicated and distributed copies. That this manual, specifically for the printed format, is reproduced and/or distributed for noncommercial use only. The express authorization of Novell, Inc must be obtained prior to any other use of any manual or part thereof.

For Novell trademarks, see the Novell Trademark and Service Mark list http://www.novell.com/company/legal/trademarks/tmlist.html. * Linux is a registered trademark of Linus Torvalds. All other third party trademarks are the property of their respective owners. A trademark symbol (®, ™ etc.) denotes a Novell trademark; an asterisk (*) denotes a third party trademark.

All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither Novell, Inc., SUSE LINUX Products GmbH, the authors, nor the translators shall be held liable for possible errors or the consequences thereof.


Contents

About This Guide
1. Feedback
2. Documentation Conventions
1. Immunizing Programs
1.1. Introducing the AppArmor Framework
1.2. Determining Programs to Immunize
1.3. Immunizing cron Jobs
1.4. Immunizing Network Applications
2. Profile Components and Syntax
2.1. Breaking a Novell AppArmor Profile into Its Parts
2.2. #include Statements
2.3. Capability Entries (POSIX.1e)
2.4. Using the Local AppArmor Profile Repository
3. Building and Managing Profiles with YaST
3.1. Adding a Profile Using the Wizard
3.2. Manually Adding a Profile
3.3. Editing Profiles
3.4. Deleting a Profile
3.5. Updating Profiles from Log Entries
3.6. Managing Novell AppArmor and Security Event Status
4. Building Profiles from the Command Line
4.1. Checking the AppArmor Module Status
4.2. Building AppArmor Profiles
4.3. Adding or Creating an AppArmor Profile
4.4. Editing an AppArmor Profile
4.5. Deleting an AppArmor Profile
4.6. Two Methods of Profiling
4.7. Paths and Globbing
4.8. File Permission Access Modes
4.9. Important Filenames and Directories
5. Profiling Your Web Applications Using ChangeHat
5.1. Apache ChangeHat
5.2. Configuring Apache for mod_apparmor
6. Managing Profiled Applications
6.1. Monitoring Your Secured Applications
6.2. Configuring Security Event Notification
6.3. Configuring Reports
6.4. Reacting to Security Event Rejections
6.5. Maintaining Your Security Profiles
7. Support
7.1. Updating Novell AppArmor Online
7.2. Using the Man Pages
7.3. For More Information
7.4. Troubleshooting
7.5. Reporting Bugs for AppArmor
A. Background Information on AppArmor Profiling
Glossary

List of Figures

3.1. YaST Controls for AppArmor
3.2. Learning Mode Exception: Controlling Access to Specific Resources
3.3. Learning Mode Exception: Defining Execute Permissions for an Entry

List of Tables

7.1. Man Pages: Sections and Categories

List of Examples

4.1. Learning Mode Exception: Controlling Access to Specific Resources
4.2. Learning Mode Exception: Defining Execute Permissions for an Entry
5.1. Example phpsysinfo Hat