ACC SHELL
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 22. Building and Managing Profiles with YaST</title><link rel="stylesheet" href="susebooks.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="Documentation"><link rel="up" href="part.apparmor.html" title="Part IV. Confining Privileges with Novell AppArmor"><link rel="prev" href="cha.apparmor.repos.html" title="Chapter 21. AppArmor Profile Repositories"><link rel="next" href="cha.apparmor.commandline.html" title="Chapter 23. Building Profiles from the Command Line"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header" border="0" class="bctable"><tr><td width="80%"><div class="breadcrumbs"><p><a href="index.html"> Documentation</a><span class="breadcrumbs-sep"> > </span><a href="book.security.html">Security Guide</a><span class="breadcrumbs-sep"> > </span><a href="part.apparmor.html">Confining Privileges with Novell AppArmor</a><span class="breadcrumbs-sep"> > </span><strong><a accesskey="p" title="Chapter 21. AppArmor Profile Repositories" href="cha.apparmor.repos.html"><span>◀</span></a> <a accesskey="n" title="Chapter 23. Building Profiles from the Command Line" href="cha.apparmor.commandline.html"><span>▶</span></a></strong></p></div></td></tr></table></div><div class="chapter" title="Chapter 22. Building and Managing Profiles with YaST"><div class="titlepage"><div><div><h2 class="title"><a name="cha.apparmor.yast"></a>Chapter 22. Building and Managing Profiles with YaST<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#cha.apparmor.yast">¶</a></span></h2></div></div></div><div class="toc"><p><b>Contents</b></p><dl><dt><span class="sect1"><a href="cha.apparmor.yast.html#sec.apparmor.yast.wizard">22.1. Adding a Profile Using the Wizard</a></span></dt><dt><span class="sect1"><a href="cha.apparmor.yast.html#sec.apparmor.yast.add">22.2. Manually Adding a Profile</a></span></dt><dt><span class="sect1"><a href="cha.apparmor.yast.html#sec.apparmor.yast.edit">22.3. Editing Profiles</a></span></dt><dt><span class="sect1"><a href="cha.apparmor.yast.html#sec.apparmor.yast.del">22.4. Deleting a Profile</a></span></dt><dt><span class="sect1"><a href="cha.apparmor.yast.html#sec.apparmor.yast.update">22.5. Updating Profiles from Log Entries</a></span></dt><dt><span class="sect1"><a href="cha.apparmor.yast.html#sec.apparmor.yast.manage">22.6. Managing Novell AppArmor and Security Event Status</a></span></dt></dl></div><p>
YaST provides an easy way to build profiles and manage Novell® AppArmor. It
provides two interfaces: a graphical one and a text-based one. The
text-based interface consumes less resources and bandwidth, making it a
better choice for remote administration, or for times when a local
graphical environment is inconvenient. Although the interfaces have
differing appearances, they offer the same functionality in similar ways.
Another alternative is to use AppArmor commands, which can control AppArmor from a
terminal window or through remote connections. The command line tools are
described in <a class="xref" href="cha.apparmor.commandline.html" title="Chapter 23. Building Profiles from the Command Line">Chapter 23, <i>Building Profiles from the Command Line</i></a>.
</p><p>
Start YaST from the main menu and enter your <code class="systemitem">root</code> password when
prompted for it. Alternatively, start YaST by opening a terminal window,
logging in as <code class="systemitem">root</code>, and entering <span class="command"><strong>yast2</strong></span> for the
graphical mode or <span class="command"><strong>yast</strong></span> for the text-based mode.
</p><div class="figure"><a name="id601614"></a><p class="title"><b>Figure 22.1. YaST Controls for AppArmor</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/y2_aa_main.png" alt="YaST's main controls for
AppArmor"></div></div></div><br class="figure-break"><p>
The right frame shows the AppArmor options:
</p><div class="variablelist"><dl><dt><span class="term">Add Profile Wizard</span></dt><dd><p>
For detailed steps, refer to
<a class="xref" href="cha.apparmor.yast.html#sec.apparmor.yast.wizard" title="22.1. Adding a Profile Using the Wizard">Section 22.1, “Adding a Profile Using the Wizard”</a>.
</p></dd><dt><span class="term">Manually Add Profile</span></dt><dd><p>
Add a Novell AppArmor profile for an application on your system without the help
of the wizard. For detailed steps, refer to
<a class="xref" href="cha.apparmor.yast.html#sec.apparmor.yast.add" title="22.2. Manually Adding a Profile">Section 22.2, “Manually Adding a Profile”</a>.
</p></dd><dt><span class="term">Edit Profile</span></dt><dd><p>
Edits an existing Novell AppArmor profile on your system. For detailed steps,
refer to <a class="xref" href="cha.apparmor.yast.html#sec.apparmor.yast.edit" title="22.3. Editing Profiles">Section 22.3, “Editing Profiles”</a>.
</p></dd><dt><span class="term">Delete Profile</span></dt><dd><p>
Deletes an existing Novell AppArmor profile from your system. For detailed steps,
refer to <a class="xref" href="cha.apparmor.yast.html#sec.apparmor.yast.del" title="22.4. Deleting a Profile">Section 22.4, “Deleting a Profile”</a>.
</p></dd><dt><span class="term">Update Profile Wizard</span></dt><dd><p>
For detailed steps, refer to
<a class="xref" href="cha.apparmor.yast.html#sec.apparmor.yast.update" title="22.5. Updating Profiles from Log Entries">Section 22.5, “Updating Profiles from Log Entries”</a>.
</p></dd><dt><span class="term">AppArmor Reports</span></dt><dd><p>
For detailed steps, refer to
<a class="xref" href="cha.apparmor.managing.html#sec.apparmor.managing.config_reports" title="26.3. Configuring Reports">Section 26.3, “Configuring Reports”</a>.
</p></dd><dt><span class="term">AppArmor Control Panel</span></dt><dd><p>
For detailed steps, refer to
<a class="xref" href="cha.apparmor.yast.html#sec.apparmor.yast.manage" title="22.6. Managing Novell AppArmor and Security Event Status">Section 22.6, “Managing Novell AppArmor and Security Event Status”</a>.
</p></dd></dl></div><div class="sect1" title="22.1. Adding a Profile Using the Wizard"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.apparmor.yast.wizard"></a>22.1. Adding a Profile Using the Wizard<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.yast.wizard">¶</a></span></h2></div></div></div><p>
<span class="guimenu">Add Profile Wizard</span> is designed to set up Novell AppArmor
profiles using the AppArmor profiling tools, aa-genprof (generate profile)
and aa-logprof (update profiles from learning mode log file). For more
information about these tools, refer to
<a class="xref" href="cha.apparmor.commandline.html#sec.apparmor.commandline.profiling.summary" title="23.6.3. Summary of Profiling Tools">Section 23.6.3, “Summary of Profiling Tools”</a>.
</p><div class="procedure"><ol class="procedure" type="1"><li><p>
Stop the application before profiling it to ensure that application
start-up is included in the profile. To do this, make sure that the
application or daemon is not running.
</p><p>
For example, enter <span class="command"><strong>rc<em class="replaceable"><code>PROGRAM</code></em>
stop</strong></span> (or
<span class="command"><strong>/etc/init.d/<em class="replaceable"><code>PROGRAM</code></em> stop</strong></span>)
in a terminal window while logged in as <code class="systemitem">root</code>, replacing
<em class="replaceable"><code>PROGRAM</code></em> with the name of the program to
profile.
</p></li><li><p>
Start YaST and select <span class="guimenu">Novell AppArmor</span>+<span class="guimenu">Add Profile Wizard</span>.
</p><div class="informalfigure"><div class="mediaobject"><img src="images/sd_profilecreationwizard_1.png" alt="Choose the application to
profile"></div></div></li><li><p>
Enter the name of the application or browse to the location of the
program.
</p></li><li><p>
Click <span class="guimenu">Create</span>. This runs an AppArmor tool named
aa-autodep, which performs a static analysis of the program to profile
and loads an approximate profile into the AppArmor module. For more
information about aa-autodep, refer to
<a class="xref" href="cha.apparmor.commandline.html#sec.apparmor.commandline.profiling.summary.autodep" title="23.6.3.1. aa-autodep—Creating Approximate Profiles">Section 23.6.3.1, “aa-autodep—Creating Approximate Profiles”</a>.
</p><p>
Depending on whether the profile you are about to create already exists
either in the local profile repository (see
<a class="xref" href="cha.apparmor.repos.html#sec.apparmor.repos.local" title="21.1. Using the Local Repository">Section 21.1, “Using the Local Repository”</a>) or in the external
profile repository (see <a class="xref" href="cha.apparmor.repos.html" title="Chapter 21. AppArmor Profile Repositories">Chapter 21, <i>AppArmor Profile Repositories</i></a>) or
whether it does not exist yet, proceed with one of the following
options:
</p><div class="itemizedlist"><ul class="itemizedlist" type="bullet"><li class="listitem" style="list-style-type: disc"><p>
Determine whether you want to use or fine-tune an already existing
profile from your local profile repository, as outlined in
<a class="xref" href="cha.apparmor.yast.html#st.apparmor.yast.wizard.local" title="Step 5">Step 5</a>.
</p></li><li class="listitem" style="list-style-type: disc"><p>
Determine whether you want to use or fine-tune an already existing
profile from the external profile repository, as outlined in
<a class="xref" href="cha.apparmor.yast.html#st.apparmor.yast.wizard.ext" title="Step 6">Step 6</a>.
</p></li><li class="listitem" style="list-style-type: disc"><p>
Create the profile from scratch and proceed with
<a class="xref" href="cha.apparmor.yast.html#st.apparmor.yast.wizard.run" title="Step 7">Step 7</a> and beyond.
</p></li></ul></div></li><li id="st.apparmor.yast.wizard.local"><p>
If the profile already exists in the local profile repository under
<code class="filename">/etc/apparmor/profiles/extra</code>, YaST informs you
that there is an inactive profile which you can either use as a base
for your own efforts or which you can just accept as is.
</p><p>
Alternatively, you can choose not to use the local version at all and
start creating the profile from scratch. In any case, proceed with
<a class="xref" href="cha.apparmor.yast.html#st.apparmor.yast.wizard.run" title="Step 7">Step 7</a>.
</p></li><li id="st.apparmor.yast.wizard.ext"><p>
If the profile already exists in the external profile repository and
this is the first time you tried to create a profile that already
exists in the repository, configure your access to the server and
determine how to use it:
</p><ol type="a" class="substeps"><li><p>
Determine whether you want to enable access to the external
repository or postpone this decision. In case you have selected
<span class="guimenu">Enable Repository</span>, determine the access mode
(download/upload) in a next step. In case you want to postpone the
decision, select <span class="guimenu">Ask Me Later</span> and proceed directly
to <a class="xref" href="cha.apparmor.yast.html#st.apparmor.yast.wizard.run" title="Step 7">Step 7</a>.
</p></li><li><p>
Provide username and password for your account on the profile
repository server and register at the server.
</p></li><li><p>
Select the profile to use and proceed to
<a class="xref" href="cha.apparmor.yast.html#st.apparmor.yast.wizard.run" title="Step 7">Step 7</a>.
</p></li></ol></li><li id="st.apparmor.yast.wizard.run"><p>
Run the application to profile.
</p></li><li><p>
Perform as many of the application functions as possible, so that
learning mode can log the files and directories to which the program
requires access to function properly. Be sure to include restarting and
stopping the program in the exercised functions. AppArmor needs to handle
these events, as well as any other program function.
</p></li><li id="st.apparmor.yast.wizard.scan"><p>
Click <span class="guimenu">Scan system log for AppArmor events</span> to parse the
learning mode log files. This generates a series of questions that you
must answer to guide the wizard in generating the security profile.
</p><p>
If requests to add hats appear, proceed to
<a class="xref" href="cha.apparmor.hat.html" title="Chapter 24. Profiling Your Web Applications Using ChangeHat">Chapter 24, <i>Profiling Your Web Applications Using ChangeHat</i></a>.
</p><p>
The questions fall into two categories:
</p><div class="itemizedlist"><ul class="itemizedlist" type="bullet"><li class="listitem" style="list-style-type: disc"><p>
A resource is requested by a profiled program that is not in the
profile (see <a class="xref" href="cha.apparmor.yast.html#fig.apparmor.yast.wizard.learn" title="Figure 22.2. Learning Mode Exception: Controlling Access to Specific Resources">Figure 22.2, “Learning Mode Exception: Controlling Access to Specific Resources”</a>). Allow
or deny access to a specific resource.
</p></li><li class="listitem" style="list-style-type: disc"><p>
A program is executed by the profiled program and the security domain
transition has not been defined (see
<a class="xref" href="cha.apparmor.yast.html#fig.apparmor.yast.wizard.perms" title="Figure 22.3. Learning Mode Exception: Defining Execute Permissions for an Entry">Figure 22.3, “Learning Mode Exception: Defining Execute Permissions for an Entry”</a>). Define execute
permissions for an entry.
</p></li></ul></div><p>
Each of these cases results in a series of questions that you must
answer to add the resource to the profile or to add the program to the
profile. For an example of each case, see
<a class="xref" href="cha.apparmor.yast.html#fig.apparmor.yast.wizard.learn" title="Figure 22.2. Learning Mode Exception: Controlling Access to Specific Resources">Figure 22.2, “Learning Mode Exception: Controlling Access to Specific Resources”</a> and
<a class="xref" href="cha.apparmor.yast.html#fig.apparmor.yast.wizard.perms" title="Figure 22.3. Learning Mode Exception: Defining Execute Permissions for an Entry">Figure 22.3, “Learning Mode Exception: Defining Execute Permissions for an Entry”</a>. Subsequent steps
describe your options in answering these questions.
</p><div class="note"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Note: Varying Processing Options"><tr class="head"><td width="32"><img alt="[Note]" src="admon/note.png"></td><th align="left">Varying Processing Options</th></tr><tr><td colspan="2" align="left" valign="top"><p>
Depending on the type of entry processed, the available options vary.
</p></td></tr></table></div><div class="figure"><a name="fig.apparmor.yast.wizard.learn"></a><p class="title"><b>Figure 22.2. Learning Mode Exception: Controlling Access to Specific Resources</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#fig.apparmor.yast.wizard.learn">¶</a></span></p><div class="figure-contents"><div class="mediaobject"><img src="images/sd_profilecreationwizard_3.png" alt="Learning Mode Exception: Controlling Access to Specific Resources"></div></div></div><br class="figure-break"><div class="figure"><a name="fig.apparmor.yast.wizard.perms"></a><p class="title"><b>Figure 22.3. Learning Mode Exception: Defining Execute Permissions for an Entry</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#fig.apparmor.yast.wizard.perms">¶</a></span></p><div class="figure-contents"><div class="mediaobject"><img src="images/sd_profilecreationwizard_3exb.png" alt="Learning Mode Exception: Defining Execute Permissions for an Entry"></div></div></div><br class="figure-break"></li><li><p>
The <span class="guimenu">Add Profile Wizard</span> begins suggesting directory
path entries that have been accessed by the application profiled (as
seen in <a class="xref" href="cha.apparmor.yast.html#fig.apparmor.yast.wizard.learn" title="Figure 22.2. Learning Mode Exception: Controlling Access to Specific Resources">Figure 22.2, “Learning Mode Exception: Controlling Access to Specific Resources”</a>) or requires
you to define execute permissions for entries (as seen in
<a class="xref" href="cha.apparmor.yast.html#fig.apparmor.yast.wizard.perms" title="Figure 22.3. Learning Mode Exception: Defining Execute Permissions for an Entry">Figure 22.3, “Learning Mode Exception: Defining Execute Permissions for an Entry”</a>).
</p><div class="itemizedlist"><ul class="itemizedlist" type="bullet"><li class="listitem" style="list-style-type: disc"><p>
For
<a class="xref" href="cha.apparmor.yast.html#fig.apparmor.yast.wizard.learn" title="Figure 22.2. Learning Mode Exception: Controlling Access to Specific Resources">Figure 22.2: Learning Mode Exception: Controlling Access to Specific Resources</a>:
Select the option that satisfies the request for access, which could
be a suggested include, a particular globbed version of the path, or
the actual pathname. Depending on the situation, these options are
available:
</p><div class="variablelist"><dl><dt><span class="term"><code class="literal">#include</code>
</span></dt><dd><p>
The section of a Novell AppArmor profile that refers to an include file.
Include files give access permissions for programs. By using an
include, you can give the program access to directory paths or
files that are also required by other programs. Using includes can
reduce the size of a profile. It is good practice to select
includes when suggested.
</p></dd><dt><span class="term">Globbed Version</span></dt><dd><p>
Accessed by clicking <span class="guimenu">Glob</span>. For information
about globbing syntax, refer to
<a class="xref" href="cha.apparmor.profiles.html#sec.apparmor.profiles.glob" title="20.6. Paths and Globbing">Section 20.6, “Paths and Globbing”</a>.
</p></dd><dt><span class="term">Actual Pathname</span></dt><dd><p>
Literal path that the program needs to access to run properly.
</p></dd></dl></div><p>
After selecting a directory path, process it as an entry to the Novell AppArmor
profile by clicking <span class="guimenu">Allow</span> or
<span class="guimenu">Deny</span>. If you are not satisfied with the directory
path entry as it is displayed, you can also <span class="guimenu">Glob</span>
or <span class="guimenu">Edit</span> it.
</p><p>
The following options are available to process the learning mode
entries and build the profile:
</p><div class="variablelist"><dl><dt><span class="term">Allow</span></dt><dd><p>
Grant the program access to the specified directory path entries.
The <span class="guimenu">Add Profile Wizard</span> suggests file permission
access. For more information about this, refer to
<a class="xref" href="cha.apparmor.profiles.html#sec.apparmor.profiles.perm" title="20.7. File Permission Access Modes">Section 20.7, “File Permission Access Modes”</a>.
</p></dd><dt><span class="term">Deny</span></dt><dd><p>
Click <span class="guimenu">Deny</span> to prevent the program from
accessing the specified paths.
</p></dd><dt><span class="term">Glob</span></dt><dd><p>
Clicking this modifies the directory path (using wild cards) to
include all files in the suggested directory. Double-clicking it
grants access to all files and subdirectories beneath the one
shown. For more information about globbing syntax, refer to
<a class="xref" href="cha.apparmor.profiles.html#sec.apparmor.profiles.glob" title="20.6. Paths and Globbing">Section 20.6, “Paths and Globbing”</a>.
</p></dd><dt><span class="term">Glob w/Ext</span></dt><dd><p>
Modify the original directory path while retaining the filename
extension. A single click causes
<code class="filename">/etc/apache2/file.ext</code> to become
<code class="filename">/etc/apache2/*.ext</code>, adding the wild card
(asterisk) in place of the filename. This allows the program to
access all files in the suggested directories that end with the
<code class="filename">.ext</code> extension. When you double-click it,
access is granted to all files with the particular extension and
subdirectories beneath the one shown.
</p></dd><dt><span class="term">Edit</span></dt><dd><p>
Edit the highlighted line. The new edited line appears at the
bottom of the list.
</p></dd><dt><span class="term">Abort</span></dt><dd><p>
Abort aa-logprof, losing all rule changes entered so far and
leaving all profiles unmodified.
</p></dd><dt><span class="term">Finish</span></dt><dd><p>
Close aa-logprof, saving all rule changes entered so far and
modifying all profiles.
</p></dd></dl></div><p>
Click <span class="guimenu">Allow</span> or <span class="guimenu">Deny</span> for each
learning mode entry. These help build the Novell AppArmor profile.
</p><div class="note"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Note"><tr class="head"><td width="32"><img alt="[Note]" src="admon/note.png"></td><th align="left"></th></tr><tr><td colspan="2" align="left" valign="top"><p>
The number of learning mode entries corresponds to the complexity of
the application.
</p></td></tr></table></div></li><li class="listitem" style="list-style-type: disc"><p>
For
<a class="xref" href="cha.apparmor.yast.html#fig.apparmor.yast.wizard.perms" title="Figure 22.3. Learning Mode Exception: Defining Execute Permissions for an Entry">Figure 22.3: Learning Mode Exception: Defining Execute Permissions for an Entry</a>:
From the following options, select the one that satisfies the request
for access. For detailed information about the options available,
refer to <a class="xref" href="cha.apparmor.profiles.html#sec.apparmor.profiles.perm" title="20.7. File Permission Access Modes">Section 20.7, “File Permission Access Modes”</a>.
</p><div class="variablelist"><dl><dt><span class="term">Inherit</span></dt><dd><p>
Stay in the same security profile (parent's profile).
</p></dd><dt><span class="term">Profile</span></dt><dd><p>
Require a separate profile to exist for the executed program. When
selecting this option, also select whether AppArmor should sanitize
the environment when switching profiles by removing certain
environment variables that can modify the execution behavior of
the child process. Unless these variables are absolutely required
to properly execute the child process, always choose the more
secure, sanitized option.
</p></dd><dt><span class="term">Unconfined</span></dt><dd><p>
Execute the program without a security profile. When prompted,
have AppArmor sanitize the environment to avoid adding security risks
by inheriting certain environmental variables from the parent
process.
</p><div class="warning"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Warning: Risks of Running Unconfined"><tr class="head"><td width="32"><img alt="[Warning]" src="admon/warning.png"></td><th align="left">Risks of Running Unconfined</th></tr><tr><td colspan="2" align="left" valign="top"><p>
Unless absolutely necessary, do not run unconfined. Choosing the
<span class="guimenu">Unconfined</span> option executes the new program
without any protection from AppArmor.
</p></td></tr></table></div></dd><dt><span class="term">Deny</span></dt><dd><p>
Click <span class="guimenu">Deny</span> to prevent the program from
accessing the specified paths.
</p></dd><dt><span class="term">Abort</span></dt><dd><p>
Abort aa-logprof, losing all rule changes entered so far, and
leaving all profiles unmodified.
</p></dd><dt><span class="term">Finish</span></dt><dd><p>
Close aa-logprof, saving all rule changes entered so far, and
modifying all profiles.
</p></dd></dl></div></li></ul></div></li><li><p>
Repeat the previous steps if you need to execute more functionality of
the application.
</p><p>
When you are done, click <span class="guimenu">Finish</span>. Choose to apply
your changes to the local profile set. If you have previously chosen to
upload your profile to the external profile repository, provide a brief
change log entry describing your work and upload the profile. If you
had postponed the decision on whether to upload the profile or not,
YaST asks you again and you can create an account the upload the
profile now or not upload it at all.
</p><p>
As soon as you exit the <span class="guimenu">Profile Creation Wizard</span>, the
profile is saved both locally and on the repository server, if you have
chosen to upload it. The profile is then loaded into the AppArmor module.
</p></li></ol></div></div><div class="sect1" title="22.2. Manually Adding a Profile"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.apparmor.yast.add"></a>22.2. Manually Adding a Profile<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.yast.add">¶</a></span></h2></div></div></div><p>
Novell AppArmor enables you to create a Novell AppArmor profile by manually adding entries
into the profile. Select the application for which to create a profile
then add entries.
</p><div class="procedure"><ol class="procedure" type="1"><li><p>
Start YaST and select <span class="guimenu">Novell AppArmor</span>+<span class="guimenu">Manually Add Profile</span>.
</p></li><li><p>
Browse your system to find the application for which to create a
profile.
</p></li><li><p>
When you find the application, select it and click
<span class="guimenu">Open</span>. A basic, empty profile appears in the
<span class="guimenu">AppArmor Profile Dialog</span> window.
</p></li><li><p>
In <span class="guimenu">AppArmor Profile Dialog</span>, add, edit, or delete AppArmor
profile entries by clicking the corresponding buttons and referring to
<a class="xref" href="cha.apparmor.yast.html#sec.apparmor.yast.edit.add" title="22.3.1. Adding an Entry">Section 22.3.1, “Adding an Entry”</a>,
<a class="xref" href="cha.apparmor.yast.html#sec.apparmor.yast.edit.edit" title="22.3.2. Editing an Entry">Section 22.3.2, “Editing an Entry”</a>,
or
<a class="xref" href="cha.apparmor.yast.html#sec.apparmor.yast.edit.del" title="22.3.3. Deleting an Entry">Section 22.3.3, “Deleting an Entry”</a>.
</p></li><li><p>
When finished, click <span class="guimenu">Done</span>.
</p></li></ol></div></div><div class="sect1" title="22.3. Editing Profiles"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.apparmor.yast.edit"></a>22.3. Editing Profiles<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.yast.edit">¶</a></span></h2></div></div></div><p>
AppArmor enables you to edit Novell AppArmor profiles manually by adding, editing, or
deleting entries. To edit a profile, proceed as follows:
</p><div class="procedure"><ol class="procedure" type="1"><li><p>
Start YaST and select <span class="guimenu">Novell AppArmor</span>+<span class="guimenu">Edit Profile</span>.
</p><div class="informalfigure"><div class="mediaobject"><img src="images/edit_1.png" alt="Choose the profile to edit"></div></div></li><li><p>
From the list of profiled applications, select the profile to edit.
</p></li><li><p>
Click <span class="guimenu">Next</span>. The <span class="guimenu">AppArmor Profile
Dialog</span> window displays the profile.
</p><div class="informalfigure"><div class="mediaobject"><img src="images/edit_2.png" alt="AppArmor profile dialog"></div></div></li><li><p>
In the <span class="guimenu">AppArmor Profile Dialog</span> window, add, edit, or
delete Novell AppArmor profile entries by clicking the corresponding buttons and
referring to
<a class="xref" href="cha.apparmor.yast.html#sec.apparmor.yast.edit.add" title="22.3.1. Adding an Entry">Section 22.3.1, “Adding an Entry”</a>,
<a class="xref" href="cha.apparmor.yast.html#sec.apparmor.yast.edit.edit" title="22.3.2. Editing an Entry">Section 22.3.2, “Editing an Entry”</a>,
or
<a class="xref" href="cha.apparmor.yast.html#sec.apparmor.yast.edit.del" title="22.3.3. Deleting an Entry">Section 22.3.3, “Deleting an Entry”</a>.
</p></li><li><p>
When you are finished, click <span class="guimenu">Done</span>.
</p></li><li><p>
In the pop-up that appears, click <span class="guimenu">Yes</span> to confirm
your changes to the profile and reload the AppArmor profile set.
</p></li></ol></div><div class="tip"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Tip: Syntax Checking in AppArmor"><tr class="head"><td width="32"><img alt="[Tip]" src="admon/tip.png"></td><th align="left">Syntax Checking in AppArmor</th></tr><tr><td colspan="2" align="left" valign="top"><p>
AppArmor contains a syntax check that notifies you of any syntax errors in
profiles you are trying to process with the YaST AppArmor tools. If an
error occurs, edit the profile manually as <code class="systemitem">root</code> and reload the
profile set with <span class="command"><strong>rcapparmor <code class="option">reload</code></strong></span>.
</p></td></tr></table></div><div class="sect2" title="22.3.1. Adding an Entry"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apparmor.yast.edit.add"></a>22.3.1. Adding an Entry<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.yast.edit.add">¶</a></span></h3></div></div></div><p>
The <span class="guimenu">Add Entry</span> option can be found in
<a class="xref" href="cha.apparmor.yast.html#sec.apparmor.yast.add" title="22.2. Manually Adding a Profile">Section 22.2, “Manually Adding a Profile”</a> or
<a class="xref" href="cha.apparmor.yast.html#sec.apparmor.yast.edit" title="22.3. Editing Profiles">Section 22.3, “Editing Profiles”</a>.
When you select <span class="guimenu">Add Entry</span>, a list shows the types of
entries you can add to the Novell AppArmor profile.
</p><p>
From the list, select one of the following:
</p><div class="variablelist"><dl><dt><span class="term">File</span></dt><dd><p>
In the pop-up window, specify the absolute path of a file, including
the type of access permitted. When finished, click
<span class="guimenu">OK</span>.
</p><p>
You can use globbing if necessary. For globbing information, refer to
<a class="xref" href="cha.apparmor.profiles.html#sec.apparmor.profiles.glob" title="20.6. Paths and Globbing">Section 20.6, “Paths and Globbing”</a>.
For file access permission information, refer to
<a class="xref" href="cha.apparmor.profiles.html#sec.apparmor.profiles.perm" title="20.7. File Permission Access Modes">Section 20.7, “File Permission Access Modes”</a>.
</p><div class="informalfigure"><div class="mediaobject"><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="35%"><tr><td><img src="images/add_2_addentry_file.png" width="100%" alt="Select a file to add"></td></tr></table></div></div></dd><dt><span class="term">Directory</span></dt><dd><p>
In the pop-up window, specify the absolute path of a directory,
including the type of access permitted. You can use globbing if
necessary. When finished, click <span class="guimenu">OK</span>.
</p><p>
For globbing information, refer to
<a class="xref" href="cha.apparmor.profiles.html#sec.apparmor.profiles.glob" title="20.6. Paths and Globbing">Section 20.6, “Paths and Globbing”</a>.
For file access permission information, refer to
<a class="xref" href="cha.apparmor.profiles.html#sec.apparmor.profiles.perm" title="20.7. File Permission Access Modes">Section 20.7, “File Permission Access Modes”</a>.
</p><div class="informalfigure"><div class="mediaobject"><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="35%"><tr><td><img src="images/add_2_addentry_file.png" width="100%" alt="Select a directory to
add"></td></tr></table></div></div></dd><dt><span class="term">Network Rule</span></dt><dd><p>
In the pop-up window, select the appropriate network family and the
socket type. For more information, refer to
<a class="xref" href="cha.apparmor.profiles.html#sec.apparmor.profiles.nac" title="20.5. Network Access Control">Section 20.5, “Network Access Control”</a>.
</p><div class="informalfigure"><div class="mediaobject"><img src="images/add_2_addentry_network.png" alt="Select capabilities"></div></div></dd><dt><span class="term">Capability</span></dt><dd><p>
In the pop-up window, select the appropriate capabilities. These are
statements that enable each of the 32 POSIX.1e capabilities. Refer to
<a class="xref" href="cha.apparmor.profiles.html#sec.apparmor.profiles.capabilities" title="20.4. Capability Entries (POSIX.1e)">Section 20.4, “Capability Entries (POSIX.1e)”</a>
for more information about capabilities. When finished making your
selections, click <span class="guimenu">OK</span>.
</p><div class="informalfigure"><div class="mediaobject"><img src="images/add_2_addentry_capability.png" alt="Select capabilities"></div></div></dd><dt><span class="term">Include</span></dt><dd><p>
In the pop-up window, browse to the files to use as includes.
Includes are directives that pull in components of other Novell AppArmor
profiles to simplify profiles. For more information, refer to
<a class="xref" href="cha.apparmor.profiles.html#sec.apparmor.profiles.includes" title="20.3. #include Statements">Section 20.3, “<code class="literal">#include</code> Statements”</a>.
</p><div class="informalfigure"><div class="mediaobject"><img src="images/add_2_addentry_includefile.png" alt="Select includes"></div></div></dd><dt><span class="term">Hat</span></dt><dd><p>
In the pop-up window, specify the name of the subprofile
(<span class="emphasis"><em>hat</em></span>) to add to your current profile and click
<span class="guimenu">Create Hat</span>. For more information, refer to
<a class="xref" href="cha.apparmor.hat.html" title="Chapter 24. Profiling Your Web Applications Using ChangeHat">Chapter 24, <i>Profiling Your Web Applications Using ChangeHat</i></a>.
</p><div class="informalfigure"><div class="mediaobject"><img src="images/add_2_addentry_hat.png"></div></div></dd></dl></div></div><div class="sect2" title="22.3.2. Editing an Entry"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apparmor.yast.edit.edit"></a>22.3.2. Editing an Entry<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.yast.edit.edit">¶</a></span></h3></div></div></div><p>
When you select <span class="guimenu">Edit Entry</span>, the file browser pop-up
window opens. From here, edit the selected entry.
</p><p>
In the pop-up window, specify the absolute path of a file, including the
type of access permitted. You can use globbing if necessary. When
finished, click <span class="guimenu">OK</span>.
</p><p>
For globbing information, refer to
<a class="xref" href="cha.apparmor.profiles.html#sec.apparmor.profiles.glob" title="20.6. Paths and Globbing">Section 20.6, “Paths and Globbing”</a>. For file access permission
information, refer to <a class="xref" href="cha.apparmor.profiles.html#sec.apparmor.profiles.perm" title="20.7. File Permission Access Modes">Section 20.7, “File Permission Access Modes”</a>.
</p></div><div class="sect2" title="22.3.3. Deleting an Entry"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apparmor.yast.edit.del"></a>22.3.3. Deleting an Entry<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.yast.edit.del">¶</a></span></h3></div></div></div><p>
To delete an entry in a given profile, select <span class="guimenu">Delete
Entry</span>. AppArmor removes the selected profile entry.
</p></div></div><div class="sect1" title="22.4. Deleting a Profile"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.apparmor.yast.del"></a>22.4. Deleting a Profile<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.yast.del">¶</a></span></h2></div></div></div><p>
AppArmor enables you to delete an AppArmor profile manually. Simply select the
application for which to delete a profile then delete it as follows:
</p><div class="procedure"><ol class="procedure" type="1"><li><p>
Start YaST and select <span class="guimenu">Novell AppArmor</span>+<span class="guimenu">Delete Profile</span>.
</p></li><li><p>
Select the profile to delete.
</p></li><li><p>
Click <span class="guimenu">Next</span>.
</p></li><li><p>
In the pop-up that opens, click <span class="guimenu">Yes</span> to delete the
profile and reload the AppArmor profile set.
</p></li></ol></div></div><div class="sect1" title="22.5. Updating Profiles from Log Entries"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.apparmor.yast.update"></a>22.5. Updating Profiles from Log Entries<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.yast.update">¶</a></span></h2></div></div></div><p>
The Novell AppArmor profile wizard uses aa-logprof, the tool that scans log files
and enables you to update profiles. aa-logprof tracks messages from the
Novell AppArmor module that represent exceptions for all profiles running on your
system. These exceptions represent the behavior of the profiled
application that is outside of the profile definition for the program.
You can add the new behavior to the relevant profile by selecting the
suggested profile entry.
</p><div class="tip"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Tip: Support for the External Profile Repository"><tr class="head"><td width="32"><img alt="[Tip]" src="admon/tip.png"></td><th align="left">Support for the External Profile Repository</th></tr><tr><td colspan="2" align="left" valign="top"><p>
Similar to the <span class="guimenu">Add Profile Wizard</span>, the
<span class="guimenu">Update Profile Wizard</span> also supports profile exchange
with the external repository server. For background information on the
use of the external AppArmor profile repository, refer to
<a class="xref" href="cha.apparmor.repos.html" title="Chapter 21. AppArmor Profile Repositories">Chapter 21, <i>AppArmor Profile Repositories</i></a>. For details on how to
configure access and access mode to the server, check the procedure
described under <a class="xref" href="cha.apparmor.yast.html#sec.apparmor.yast.wizard" title="22.1. Adding a Profile Using the Wizard">Section 22.1, “Adding a Profile Using the Wizard”</a>.
</p></td></tr></table></div><div class="procedure"><ol class="procedure" type="1"><li><p>
Start YaST and select <span class="guimenu">Novell AppArmor</span>+<span class="guimenu">Update Profile Wizard</span>.
</p><p>
Running <span class="guimenu">Update Profile Wizard</span> (aa-logprof) parses
the learning mode log files. This generates a series of questions that
you must answer to guide aa-logprof to generate the security profile.
The exact procedure is the same as with creating a new profile. Refer
to <a class="xref" href="cha.apparmor.yast.html#st.apparmor.yast.wizard.scan" title="Step 9">Step 9</a> in
<a class="xref" href="cha.apparmor.yast.html#sec.apparmor.yast.wizard" title="22.1. Adding a Profile Using the Wizard">Section 22.1, “Adding a Profile Using the Wizard”</a> for details.
</p></li><li><p>
When you are done, click <span class="guimenu">Finish</span>. In the following
pop-up, click <span class="guimenu">Yes</span> to exit the <span class="guimenu">Add Profile
Wizard</span>. The profile is saved and loaded into the Novell AppArmor
module.
</p></li></ol></div></div><div class="sect1" title="22.6. Managing Novell AppArmor and Security Event Status"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.apparmor.yast.manage"></a>22.6. Managing Novell AppArmor and Security Event Status<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.yast.manage">¶</a></span></h2></div></div></div><p>
You can change the status of AppArmor by enabling or disabling it. Enabling
AppArmor protects your system from potential program exploitation. Disabling
AppArmor, even if your profiles have been set up, removes protection from
your system. You can determine how and when you are notified when system
security events occur.
</p><div class="note"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Note"><tr class="head"><td width="32"><img alt="[Note]" src="admon/note.png"></td><th align="left"></th></tr><tr><td colspan="2" align="left" valign="top"><p>
For event notification to work, you must set up a mail server on your
system that can send outgoing mail using the single mail transfer
protocol (SMTP), such as postfix or exim.
</p></td></tr></table></div><p>
To configure event notification or change the status of AppArmor, start
YaST and select <span class="guimenu">Novell AppArmor</span>+<span class="guimenu">Novell AppArmor
Control Panel</span>.
</p><div class="informalfigure"><div class="mediaobject"><img src="images/sd_controlpanel_1.png" alt="The AppArmor control
panel"></div></div><p>
From the <span class="guimenu">AppArmor Configuration</span> screen, determine whether
Novell AppArmor and security event notification are running by looking for a status
message that reads <span class="guimenu">enabled</span> or configure the mode of
individual profiles.
</p><p>
To change the status of Novell AppArmor, continue as described in
<a class="xref" href="cha.apparmor.yast.html#sec.apparmor.yast.manage.status" title="22.6.1. Changing Novell AppArmor Status">Section 22.6.1, “Changing Novell AppArmor Status”</a>.
To change the mode of individual profiles, continue as described in
<a class="xref" href="cha.apparmor.yast.html#sec.apparmor.yast.manage.profmodes" title="22.6.2. Changing the Mode of Individual Profiles">Section 22.6.2, “Changing the Mode of Individual Profiles”</a>. To configure
security event notification, continue as described in
<a class="xref" href="cha.apparmor.managing.html#sec.apparmor.managing.config_sen" title="26.2. Configuring Security Event Notification">Section 26.2, “Configuring Security Event Notification”</a>.
</p><div class="sect2" title="22.6.1. Changing Novell AppArmor Status"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apparmor.yast.manage.status"></a>22.6.1. Changing Novell AppArmor Status<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.yast.manage.status">¶</a></span></h3></div></div></div><p>
When you change the status of AppArmor, set it to enabled or disabled. When
AppArmor is enabled, it is installed, running, and enforcing the AppArmor
security policies.
</p><div class="procedure"><ol class="procedure" type="1"><li><p>
Start YaST and select <span class="guimenu">Novell AppArmor</span>+<span class="guimenu">AppArmor Control Panel</span>.
</p></li><li><p>
Enable AppArmor by checking <span class="guimenu">Enable AppArmor</span> or disable AppArmor
by deselecting it.
</p></li><li><p>
Click <span class="guimenu">Done</span> in the <span class="guimenu">AppArmor
Configuration</span> window.
</p></li><li><p>
Click <span class="guimenu">File</span>+<span class="guimenu">Quit</span> in the YaST Control Center.
</p></li></ol></div></div><div class="sect2" title="22.6.2. Changing the Mode of Individual Profiles"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apparmor.yast.manage.profmodes"></a>22.6.2. Changing the Mode of Individual Profiles<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.yast.manage.profmodes">¶</a></span></h3></div></div></div><p>
AppArmor can apply profiles in two different modes. In
<span class="emphasis"><em>complain</em></span> or <span class="emphasis"><em>learning</em></span> mode,
violations of AppArmor profile rules, such as the profiled program accessing
files not permitted by the profile, are detected. The violations are
permitted, but also logged. This mode is convenient for developing
profiles and is used by the AppArmor tools for generating profiles. Loading
a profile in <span class="emphasis"><em>enforce</em></span> mode enforces the policy
defined in the profile and reports policy violation attempts to syslogd.
</p><p>
The <span class="guimenu">Profile Modes</span> dialog allows you to view and edit
the mode of currently loaded AppArmor profiles. This feature is useful for
determining the status of your system during profile development. During
the course of systemic profiling (see
<a class="xref" href="cha.apparmor.commandline.html#sec.apparmor.commandline.profiling.systemic" title="23.6.2. Systemic Profiling">Section 23.6.2, “Systemic Profiling”</a>), you can
use this tool to adjust and monitor the scope of the profiles for which
you are learning behavior.
</p><p>
To edit an application's profile mode, proceed as follows:
</p><div class="procedure"><ol class="procedure" type="1"><li><p>
Start YaST and select <span class="guimenu">Novell AppArmor</span>+<span class="guimenu">AppArmor Control Panel</span>.
</p></li><li><p>
In the <span class="guimenu">Configure Profile Modes</span> section, select
<span class="guimenu">Configure</span>.
</p></li><li><p>
Select the profile for which to change the mode.
</p></li><li><p>
Select <span class="guimenu">Toggle Mode</span> to set this profile to
<span class="emphasis"><em>complain</em></span> mode or to <span class="emphasis"><em>enforce</em></span>
mode.
</p></li><li><p>
Apply your settings and leave YaST with <span class="guimenu">Done</span>.
</p></li></ol></div><p>
To change the mode of all profiles, use <span class="guimenu">Set All to
Enforce</span> or <span class="guimenu">Set All to Complain</span>.
</p><div class="tip"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Tip: Listing the Profiles Available"><tr class="head"><td width="32"><img alt="[Tip]" src="admon/tip.png"></td><th align="left">Listing the Profiles Available</th></tr><tr><td colspan="2" align="left" valign="top"><p>
By default, only active profiles are listed (any profile that has a
matching application installed on your system). To set up a profile
before installing the respective application, click <span class="guimenu">Show All
Profiles</span> and select the profile to configure from the list
that appears.
</p></td></tr></table></div></div></div></div><div class="navfooter"><table width="100%" summary="Navigation footer" border="0" class="bctable"><tr><td width="80%"><div class="breadcrumbs"><p><a href="index.html"> Documentation</a><span class="breadcrumbs-sep"> > </span><a href="book.security.html">Security Guide</a><span class="breadcrumbs-sep"> > </span><a href="part.apparmor.html">Confining Privileges with Novell AppArmor</a><span class="breadcrumbs-sep"> > </span><strong><a accesskey="p" title="Chapter 21. AppArmor Profile Repositories" href="cha.apparmor.repos.html"><span>◀</span></a> <a accesskey="n" title="Chapter 23. Building Profiles from the Command Line" href="cha.apparmor.commandline.html"><span>▶</span></a></strong></p></div></td></tr></table></div></body></html>
ACC SHELL 2018