ACC SHELL
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 21. AppArmor Profile Repositories</title><link rel="stylesheet" href="susebooks.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="Documentation"><link rel="up" href="part.apparmor.html" title="Part IV. Confining Privileges with Novell AppArmor"><link rel="prev" href="cha.apparmor.profiles.html" title="Chapter 20. Profile Components and Syntax"><link rel="next" href="cha.apparmor.yast.html" title="Chapter 22. Building and Managing Profiles with YaST"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header" border="0" class="bctable"><tr><td width="80%"><div class="breadcrumbs"><p><a href="index.html"> Documentation</a><span class="breadcrumbs-sep"> > </span><a href="book.security.html">Security Guide</a><span class="breadcrumbs-sep"> > </span><a href="part.apparmor.html">Confining Privileges with Novell AppArmor</a><span class="breadcrumbs-sep"> > </span><strong><a accesskey="p" title="Chapter 20. Profile Components and Syntax" href="cha.apparmor.profiles.html"><span>◀</span></a> <a accesskey="n" title="Chapter 22. Building and Managing Profiles with YaST" href="cha.apparmor.yast.html"><span>▶</span></a></strong></p></div></td></tr></table></div><div class="chapter" title="Chapter 21. AppArmor Profile Repositories"><div class="titlepage"><div><div><h2 class="title"><a name="cha.apparmor.repos"></a>Chapter 21. AppArmor Profile Repositories<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#cha.apparmor.repos">¶</a></span></h2></div></div></div><div class="toc"><p><b>Contents</b></p><dl><dt><span class="sect1"><a href="cha.apparmor.repos.html#sec.apparmor.repos.local">21.1. Using the Local Repository</a></span></dt><dt><span class="sect1"><a href="cha.apparmor.repos.html#sec.apparmor.repos.external">21.2. Using the External Repository</a></span></dt></dl></div><p>
AppArmor ships a set of profiles enabled by default and created by the AppArmor
developers, and kept under the <code class="filename">/etc/apparmor.d</code>. In
addition to these profiles,
<span>openSUSE</span>
ships profiles for individual applications together with the relevant
application. These profiles are not enabled by default, and reside under
another directory than the standard AppArmor profiles,
<code class="filename">/etc/apparmor/profiles/extras</code>.
</p><p>
AppArmor also supports the use of an external profile repository. This
repository is maintained by Novell and allows you to download profiles
generated by Novell and other AppArmor users as well as uploading your own.
Find the profile repository at
<a class="ulink" href="http://apparmor.opensuse.org" target="_top">http://apparmor.opensuse.org</a>.
</p><div class="sect1" title="21.1. Using the Local Repository"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.apparmor.repos.local"></a>21.1. Using the Local Repository<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.repos.local">¶</a></span></h2></div></div></div><p>
The AppArmor tools (YaST and aa-genprof and aa-logprof) support the use of
a local repository. Whenever you start to create a new profile from
scratch, and there already is one inactive profile in your local
repository, you are asked whether you would like to use the existing
inactive one from <code class="filename">/etc/apparmor/profiles/extras</code> and
whether you want to base your efforts on it. If you decide to use this
profile, it gets copied over to the directory of profiles enabled by
default (<code class="filename">/etc/apparmor.d</code>) and loaded whenever AppArmor
is started. Any further further adjustments will be done to the active
profile under <code class="filename">/etc/apparmor.d</code>.
</p></div><div class="sect1" title="21.2. Using the External Repository"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.apparmor.repos.external"></a>21.2. Using the External Repository<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.repos.external">¶</a></span></h2></div></div></div><p>
The external AppArmor profile repository at
<a class="ulink" href="http://apparmor.opensuse.org" target="_top">http://apparmor.opensuse.org</a> serves two main purposes:
Allowing users to either browse and download profiles created by other
users and uploading their profiles to be able to easily use them on
different machines. A valid login on the profile repository server is
required for uploading profiles. Simply downloading profiles from the
server does not require a login.
</p><div class="note"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Note: Using the AppArmor Profile Repository"><tr class="head"><td width="32"><img alt="[Note]" src="admon/note.png"></td><th align="left">Using the AppArmor Profile Repository</th></tr><tr><td colspan="2" align="left" valign="top"><p>
When using the profile repository in your deployment, keep in mind that
the profiles maintained in the repository are primarily targeted at
profile developers and might probably need fine-tuning before they suit
your particular needs. Please test the downloaded profiles extensively
before deploying them to your live setup, and adjust them if necessary.
</p></td></tr></table></div><div class="sect2" title="21.2.1. Setting up Profile Repository Support"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apparmor.repos.external.init"></a>21.2.1. Setting up Profile Repository Support<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.repos.external.init">¶</a></span></h3></div></div></div><p>
Once properly configured, both the YaST and the command line tools
support the use of an external profile repository. The initial
configuration takes place when you start the YaST Add Profile Wizard,
the Update Profile Wizard, aa-genprof, or aa-logprof to create or update
a profile that already exists on the repository server:
</p><div class="procedure"><ol class="procedure" type="1"><li><p>
Determine whether or not to use the profile repository.
</p></li><li><p>
Enable the repository for profile downloads.
</p></li><li><p>
Once you have created or modified a profile, determine whether the
tools need to be able to upload your profile to the repository.
</p><p>
If you choose to upload profiles to the repository, enter your
credentials for the repository server.
</p></li></ol></div><p>
The configuration of the repository is done by editing two configuration
files, <code class="filename">/etc/apparmor/logprof.conf</code> and
<code class="filename">/etc/apparmor/respository.conf</code>.
</p><p>
The <code class="filename">/etc/apparmor/logprof.conf</code> file contains a
section called <code class="literal">[repository]</code>.
<code class="literal">distro</code> determines the version of openSUSE used
on your system for which the AppArmor tools need to search profiles on the
server. <code class="literal">url</code> holds the server URL and
<code class="literal">preferred_user</code> tells the AppArmor tools to prefer
profiles created by the <code class="literal">novell</code> user. Those profiles
were created, tested and approved by members of the SUSE development
team.
</p><pre class="screen">
...
[repository]
distro = opensuse10.3
url = http://apparmor.opensuse.org/backend/api
preferred_user = novell
...
</pre><p>
The <code class="filename">/etc/apparmor/repository.conf</code> file is created
during the configuration process with the AppArmor tools. It contains your
authentication data and specifies which actions to enable with regards
to the profile repository. If you opt for profile download and do not
want to be able to upload your own profiles <code class="literal">enabled</code>
is set to <code class="literal">yes</code> while <code class="literal">upload</code> is set
to <code class="literal">no</code>.
</p><pre class="screen">
[repository]
enabled = yes
upload = yes
user = tux
pass = XXXXX
</pre><p>
Once initially configured through the AppArmor tools, the configuration can
only be changed manually.
</p></div><div class="sect2" title="21.2.2. Downloading a Profile"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apparmor.repos.external.download"></a>21.2.2. Downloading a Profile<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.repos.external.download">¶</a></span></h3></div></div></div><p>
While creating a profile from scratch or updating an existing profile by
processing reject messages in the log, the AppArmor tools search the
repository for a matching profile. If the search is successful, the
profile or the list of profiles is displayed and you can view them and
choose the one that best matches your setup. As soon as you have chosen
a profile, it gets copied to the local machine (to the
<code class="filename">/etc/apparmor.d</code> directory) and activated.
Alternatively, you can choose to ignore the profile on the repository
and create your own one from scratch.
</p></div><div class="sect2" title="21.2.3. Uploading Your own Profile"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apparmor.repos.external.update"></a>21.2.3. Uploading Your own Profile<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.repos.external.update">¶</a></span></h3></div></div></div><p>
After a profile has been created or updated, the AppArmor tools that a
profile also present in the repository has been changed or that a new
one has been created. If your system is configured to upload profiles to
the repository, you are prompted to provide a ChangeLog to document your
changes before the changes are uploaded to the server. These changes are
only synched to the repository, but not to the creator of the original
profile.
</p></div></div></div><div class="navfooter"><table width="100%" summary="Navigation footer" border="0" class="bctable"><tr><td width="80%"><div class="breadcrumbs"><p><a href="index.html"> Documentation</a><span class="breadcrumbs-sep"> > </span><a href="book.security.html">Security Guide</a><span class="breadcrumbs-sep"> > </span><a href="part.apparmor.html">Confining Privileges with Novell AppArmor</a><span class="breadcrumbs-sep"> > </span><strong><a accesskey="p" title="Chapter 20. Profile Components and Syntax" href="cha.apparmor.profiles.html"><span>◀</span></a> <a accesskey="n" title="Chapter 22. Building and Managing Profiles with YaST" href="cha.apparmor.yast.html"><span>▶</span></a></strong></p></div></td></tr></table></div></body></html>
ACC SHELL 2018