1 apparmor administrative utilities – IBM Novell 10 SP1 EAL4 User Manual
Page 162
●
Administrative utilities provide a mechanism for administrators to configure, query, and control
AppArmor.
For background information on AppArmor which was originally named SubDomain, SubDomain:
Parsimonious Server Security by Crispin Cowan, Steve Beattie, Greg KroahHartman, Calton Pu, Perry
Wagle, and Virgil Gligor at
[CRISP] and
and
.
5.8.1 AppArmor administrative utilities
The primary configuration file for AppArmor is /etc/apparmor/subdomain.conf . (SubDomain was
the original name for AppArmor.) The configuration file defines the directory where AppArmor profiles are
located, what action to take if the AppArmor LSM cannot be loaded at system boot time (warn, panic,
build, or build-panic), whether the OWLSM extension should be loaded, and whether event logging
should occur. For more information about AppArmor configuration, please see the man page on
subdomain.conf.
AppArmor profiles define the confinement rules for applications protected by AppArmor. The profiles are
kept in /etc/apparmor.d.. Profiles are named by the full path to the executable with / replaced by a
period (.). The following contains an example AppArmor policy for klogd which is stored in
/etc/apparmor.d/sbin.klogd:
#include
/sbin/klogd {
#include
capability sys_admin,
/boot/System.map*
r,
/proc/kmsg
r,
/sbin/klogd
rmix,
/var/log/boot.msg
rwl,
/var/run/klogd.pid
rwl,
}
In this example, klogd, can read the specified files in /boot/System.map* and /proc/kmsg. klogd
can write log and run information, such as /var/log/boot.msg and /var/run/klogd.pid.
Allowable access is denoted by familiar UNIX permission contructs, with some additions, as follows:
●
r read
●
w write
●
ux unconstrained execute
●
Ux unconstrained execute after scrubbing the environment
150