ACC SHELL
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 24. Profiling Your Web Applications Using ChangeHat</title><link rel="stylesheet" href="susebooks.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="Documentation"><link rel="up" href="part.apparmor.html" title="Part IV. Confining Privileges with Novell AppArmor"><link rel="prev" href="cha.apparmor.commandline.html" title="Chapter 23. Building Profiles from the Command Line"><link rel="next" href="cha.apparmor.pam.html" title="Chapter 25. Confining Users with pam_apparmor"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header" border="0" class="bctable"><tr><td width="80%"><div class="breadcrumbs"><p><a href="index.html"> Documentation</a><span class="breadcrumbs-sep"> > </span><a href="book.security.html">Security Guide</a><span class="breadcrumbs-sep"> > </span><a href="part.apparmor.html">Confining Privileges with Novell AppArmor</a><span class="breadcrumbs-sep"> > </span><strong><a accesskey="p" title="Chapter 23. Building Profiles from the Command Line" href="cha.apparmor.commandline.html"><span>◀</span></a> <a accesskey="n" title="Chapter 25. Confining Users with pam_apparmor" href="cha.apparmor.pam.html"><span>▶</span></a></strong></p></div></td></tr></table></div><div class="chapter" title="Chapter 24. Profiling Your Web Applications Using ChangeHat"><div class="titlepage"><div><div><h2 class="title"><a name="cha.apparmor.hat"></a>Chapter 24. Profiling Your Web Applications Using ChangeHat<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#cha.apparmor.hat">¶</a></span></h2></div></div></div><div class="toc"><p><b>Contents</b></p><dl><dt><span class="sect1"><a href="cha.apparmor.hat.html#sec.apparmor.hat.apache">24.1. Apache ChangeHat</a></span></dt><dt><span class="sect1"><a href="cha.apparmor.hat.html#sec.apparmor.hat.config">24.2. Configuring Apache for mod_apparmor</a></span></dt></dl></div><p>
A Novell® AppArmor profile represents the security policy for an individual
program instance or process. It applies to an executable program, but if a
portion of the program needs different access permissions than other
portions, the program can <span class="quote">“<span class="quote">change hats</span>”</span> to use a different
security context, distinctive from the access of the main program. This is
known as a <span class="emphasis"><em>hat</em></span> or <span class="emphasis"><em>subprofile</em></span>.
</p><p>
ChangeHat enables programs to change to or from a <span class="emphasis"><em>hat</em></span>
within a Novell AppArmor profile. It enables you to define security at a finer level
than the process. This feature requires that each application be made
<span class="quote">“<span class="quote">ChangeHat aware</span>”</span>, meaning that it is modified to make a
request to the Novell AppArmor module to switch security domains at arbitrary times
during the application execution. Two examples for ChangeHat-aware
applications are the Apache Web server and Tomcat.
</p><p>
A profile can have an arbitrary number of subprofiles, but there are only
two levels: a subprofile cannot have further sub-subprofiles. A subprofile
is written as a separate profile and named as the containing profile
followed by the subprofile name, separated by a <code class="literal">^</code>.
Subprofiles must be stored in the same file as the parent profile.
</p><p>
Note that the security of hats is considerably weaker than that of full
profiles. That is to say, if attackers can find just the right kind of bug
in a program, they may be able to escape from a hat into the containing
profile. This is because the security of hats is determined by a secret
key handled by the containing process, and the code running in the hat
must not have access to the key. Thus change_hat is most useful in
conjunction with application servers, where a language interpreter (such
as PERL, PHP, or Java) is isolating pieces of code such that they do not
have direct access to the memory of the containing process.
</p><p>
The rest of this chapter describes using change_hat in conjunction with
Apache, to contain web server components run using mod_perl and mod_php.
Similar approaches can be used with any application server by providing an
application module similar to the mod_apparmor described next in
<a class="xref" href="cha.apparmor.hat.html#sec.apparmor.hat.config.directives" title="24.2.2. Location and Directory Directives">Section 24.2.2, “Location and Directory Directives”</a>.
</p><div class="note"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Note: For More Information"><tr class="head"><td width="32"><img alt="[Note]" src="admon/note.png"></td><th align="left">For More Information</th></tr><tr><td colspan="2" align="left" valign="top"><p>
For more information, see the <span class="command"><strong>change_hat</strong></span> man page.
</p></td></tr></table></div><div class="sect1" title="24.1. Apache ChangeHat"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.apparmor.hat.apache"></a>24.1. Apache ChangeHat<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.hat.apache">¶</a></span></h2></div></div></div><p>
<span>Novell AppArmor provides a <code class="literal">mod_apparmor</code>
module (package
<code class="systemitem">apache2-mod_apparmor</code>) for
the Apache program.</span> This module makes the Apache Web server
ChangeHat aware. Install it along with Apache.
</p><p>
When Apache is ChangeHat aware, it checks for the following customized
Novell AppArmor security profiles in the order given for every URI request that it
receives.
</p><div class="itemizedlist"><ul class="itemizedlist" type="bullet"><li class="listitem" style="list-style-type: disc"><p>
URI-specific hat. For example,
<code class="filename">^phpsysinfo/templates/classic/images/bar_left.gif</code>
</p></li><li class="listitem" style="list-style-type: disc"><p>
<code class="literal">DEFAULT_URI</code>
</p></li><li class="listitem" style="list-style-type: disc"><p>
<code class="literal">HANDLING_UNTRUSTED_INPUT</code>
</p></li></ul></div><div class="note"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Note: Apache Configuration"><tr class="head"><td width="32"><img alt="[Note]" src="admon/note.png"></td><th align="left">Apache Configuration</th></tr><tr><td colspan="2" align="left" valign="top"><p>
If you install
<span><code class="systemitem">apache2-mod_apparmor</code></span>,
make sure the module gets loaded in Apache by executing the following
command:
</p><pre class="screen">a2enmod apparmor</pre></td></tr></table></div><div class="sect2" title="24.1.1. Managing ChangeHat-Aware Applications"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apparmor.hat.apache.managing"></a>24.1.1. Managing ChangeHat-Aware Applications<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.hat.apache.managing">¶</a></span></h3></div></div></div><p>
As with most of the Novell AppArmor tools, you can use two methods for managing
ChangeHat, YaST or the command line interface. Managing
ChangeHat-aware applications from the command line is much more
flexible, but the process is also more complicated. Both methods allow
you to manage the hats for your application and populate them with
profile entries.
</p><p>
The following steps are a demonstration that adds hats to an Apache
profile using YaST. In the <span class="guimenu">Add Profile Wizard</span>, the
Novell AppArmor profiling utilities prompt you to create new hats for distinct URI
requests. Choosing to create a new hat allows you to create individual
profiles for each URI. You can create very tight rules for each request.
</p><p>
If the URI that is processed does not represent significant processing
or otherwise does not represent a significant security risk, safely
select <span class="guimenu">Use Default Hat</span> to process this URI in the
default hat, which is the default security profile.
</p><p>
This example creates a new hat for the URI
<code class="filename">phpsysinfo</code> and its subsequent accesses. Using the
profiling utilities, delegate what to add to this new hat. The resulting
hat becomes a tight-security container that encompasses all the
processing on the server that occurs when the
<code class="filename">phpsysinfo</code> URI is passed to the Apache Web server.
</p><p>
The URI runs the application phpsysinfo (refer to
<a class="ulink" href="http://phpsysinfo.sourceforge.net" target="_top">http://phpsysinfo.sourceforge.net</a> for more
information). The
<code class="systemitem">phpsysinfo</code> package is
assumed to be installed in
<code class="filename">/srv/www/htdocs/phpsysinfo</code> in a clean (new)
installation of
<span>openSUSE</span>
and AppArmor.
</p><div class="procedure"><ol class="procedure" type="1"><li><p>
Once <code class="systemitem">phpsysinfo</code> is
installed, you are ready to add hats to the Apache profile. From the
Novell AppArmor GUI, select <span class="guimenu">Add Profile Wizard</span>.
</p></li><li><p>
In <span class="guimenu">Application to Profile</span>, enter
<span class="command"><strong>httpd2-prefork</strong></span>.
</p></li><li><p>
Click <span class="guimenu">Create Profile</span>.
</p><div class="informalfigure"><div class="mediaobject"><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="40%"><tr><td><img src="images/sd_profilecreationwizard_1.png" width="100%" alt="Add Profile Wizard"></td></tr></table></div></div></li><li><p>
Restart Apache by entering <span class="command"><strong>rcapache2 restart</strong></span> in a
terminal window.
</p><p>
Restart any program you are profiling at this point.
</p></li><li><p>
Open <code class="filename">http://localhost/phpsysinfo/</code> in a Web
browser window. The browser window should display network usage and
system information.
</p><div class="note"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Note: Data Caching"><tr class="head"><td width="32"><img alt="[Note]" src="admon/note.png"></td><th align="left">Data Caching</th></tr><tr><td colspan="2" align="left" valign="top"><p>
To ensure that this request is processed by the server and you do not
review cached data in your browser, refresh the page. To do this,
click the browser <span class="guimenu">Refresh</span> button to make sure that
Apache processes the request for the <code class="literal">phpsysinfo</code>
URI.
</p></td></tr></table></div></li><li><p>
Click <span class="guimenu">Scan System Log for Entries to Add to
Profiles</span>. Novell AppArmor launches the <span class="command"><strong>aa-logprof</strong></span>
tool, which scans the information learned in the previous step. It
begins to prompt you with profile questions.
</p></li><li><p>
<span class="command"><strong>aa-logprof</strong></span> first prompts with <span class="guimenu">Add
Requested Hat</span> or <span class="guimenu">Use Default Hat</span> because
it noticed that the <code class="literal">phpsysinfo</code> URI was accessed.
Select <span class="guimenu">Add Requested Hat</span>.
</p></li><li><p>
Click <span class="guimenu">Allow</span>.
</p><p>
Choosing <span class="guimenu">Add Requested Hat</span> in the previous step
creates a new hat in the profile and specifies that the results of
subsequent questions about the script's actions are added to the newly
created hat rather than the default hat for this application.
</p><p>
In the next screen, Novell AppArmor displays an external program that the script
executed. You can specify that the program should run confined by the
phpsysinfo hat (choose <span class="guimenu">Inherit</span>), confined by a
separate profile (choose <span class="guimenu">Profile</span>), or that it
should run unconfined or without any security profile (choose
<span class="guimenu">Unconfined</span>). For the case of the
<span class="guimenu">Profile</span> option, a new profile is created for the
program if one does not already exist.
</p><div class="note"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Note: Security Considerations"><tr class="head"><td width="32"><img alt="[Note]" src="admon/note.png"></td><th align="left">Security Considerations</th></tr><tr><td colspan="2" align="left" valign="top"><p>
Selecting <span class="guimenu">Unconfined</span> can create a significant
security hole and should be done with caution.
</p></td></tr></table></div><ol type="a" class="substeps"><li><p>
Select <span class="guimenu">Inherit</span> for the
<code class="filename">/bin/bash</code> path. This adds
<code class="filename">/bin/bash</code> (accessed by Apache) to the
phpsysinfo hat profile with the necessary permissions.
</p></li><li><p>
Click <span class="guimenu">Allow</span>.
</p></li></ol></li><li><p>
The remaining questions prompt you to generate new hats and add
entries to your profile and its hats. The process of adding entries to
profiles is covered in detail in the
<a class="xref" href="cha.apparmor.yast.html#sec.apparmor.yast.wizard" title="22.1. Adding a Profile Using the Wizard">Section 22.1, “Adding a Profile Using the Wizard”</a>.
</p><p>
When all profiling questions are answered, click
<span class="guimenu">Finish</span> to save your changes and exit the wizard.
</p></li></ol></div><p>
The following is an example phpsysinfo hat.
</p><div class="example"><a name="ex.hat.apache.managing.phpsysinfo"></a><p class="title"><b>Example 24.1. Example phpsysinfo Hat</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#ex.hat.apache.managing.phpsysinfo">¶</a></span></p><div class="example-contents"><pre class="screen">/usr/sbin/httpd2-prefork {
...
^phpsysinfo {
#include <abstractions/bash>
#include <abstractions/nameservice>
/bin/basename ixr,
/bin/bash ixr,
/bin/df ixr,
/bin/grep ixr,
/bin/mount Ux,
/bin/sed ixr,
/dev/bus/usb/ r,
/dev/bus/usb/** r,
/dev/null w,
/dev/tty rw,
/dev/urandom r,
/etc/SuSE-release r,
/etc/ld.so.cache r,
/etc/lsb-release r,
/etc/lsb-release.d/ r,
/lib/ld-2.6.1.so ixr,
/proc/** r,
/sbin/lspci ixr,
/srv/www/htdocs/phpsysinfo/** r,
/sys/bus/pci/** r,
/sys/bus/scsi/devices/ r,
/sys/devices/** r,
/usr/bin/cut ixr,
/usr/bin/getopt ixr,
/usr/bin/head ixr,
/usr/bin/lsb_release ixr,
/usr/bin/lsscsi ixr,
/usr/bin/tr ixr,
/usr/bin/who ixr,
/usr/lib/lib*so* mr,
/usr/lib/locale/** r,
/usr/sbin/lsusb ixr,
/usr/share/locale/** r,
/usr/share/pci.ids r,
/usr/share/usb.ids r,
/var/log/apache2/access_log w,
/var/run/utmp kr,
}
}</pre></div></div><br class="example-break"><div class="note"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Note: Hat and Parent Profile Relationship"><tr class="head"><td width="32"><img alt="[Note]" src="admon/note.png"></td><th align="left">Hat and Parent Profile Relationship</th></tr><tr><td colspan="2" align="left" valign="top"><p>
The profile <code class="filename">^phpsysinfo</code> is only valid in the
context of a process running under the parent profile
<code class="filename">httpd2-prefork</code>.
</p></td></tr></table></div></div><div class="sect2" title="24.1.2. Adding Hats and Entries to Hats"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apparmor.hat.apache.managing.add"></a>24.1.2. Adding Hats and Entries to Hats<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.hat.apache.managing.add">¶</a></span></h3></div></div></div><p>
When you use the <span class="guimenu">Edit Profile</span> dialog (for
instructions, refer to
<a class="xref" href="cha.apparmor.yast.html#sec.apparmor.yast.edit" title="22.3. Editing Profiles">Section 22.3, “Editing Profiles”</a>) or
when you add a new profile using <span class="guimenu">Manually Add Profile</span>
(for instructions, refer to
<a class="xref" href="cha.apparmor.yast.html#sec.apparmor.yast.add" title="22.2. Manually Adding a Profile">Section 22.2, “Manually Adding a Profile”</a>),
you are given the option of adding hats (subprofiles) to your Novell AppArmor
profiles. Add a ChangeHat subprofile from the <span class="guimenu">AppArmor Profile
Dialog</span> window as in the following.
</p><div class="informalfigure"><div class="mediaobject"><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="75%"><tr><td><img src="images/hats_in_profiles.png" width="100%" alt="AppArmor profile dialog"></td></tr></table></div></div><div class="procedure"><ol class="procedure" type="1"><li><p>
From the <span class="guimenu">AppArmor Profile Dialog</span> window, click
<span class="guimenu">Add Entry</span> then select <span class="guimenu">Hat</span>. The
<span class="guimenu">Enter Hat Name</span> dialog box opens:
</p><div class="informalfigure"><div class="mediaobject"><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="35%"><tr><td><img src="images/hat_createhat.png" width="100%" alt="Enter hat name"></td></tr></table></div></div></li><li><p>
Enter the name of the hat to add to the Novell AppArmor profile. The name is the
URI that, when accessed, receives the permissions set in the hat.
</p></li><li><p>
Click <span class="guimenu">Create Hat</span>. You are returned to the
<span class="guimenu">AppArmor Profile Dialog</span> screen.
</p></li><li><p>
After adding the new hat, click <span class="guimenu">Done</span>.
</p></li></ol></div><div class="note"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Note: For More Information"><tr class="head"><td width="32"><img alt="[Note]" src="admon/note.png"></td><th align="left">For More Information</th></tr><tr><td colspan="2" align="left" valign="top"><p>
For an example of an Novell AppArmor profile, refer to
<a class="xref" href="cha.apparmor.hat.html#ex.hat.apache.managing.phpsysinfo" title="Example 24.1. Example phpsysinfo Hat">Example 24.1, “Example phpsysinfo Hat”</a>.
</p></td></tr></table></div></div></div><div class="sect1" title="24.2. Configuring Apache for mod_apparmor"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.apparmor.hat.config"></a>24.2. Configuring Apache for mod_apparmor<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.hat.config">¶</a></span></h2></div></div></div><p>
Apache is configured by placing directives in plain text configuration
files. The main configuration file is usually
<code class="filename">httpd.conf</code>. When you compile Apache, you can
indicate the location of this file. Directives can be placed in any of
these configuration files to alter the way Apache behaves. When you make
changes to the main configuration files, you need to start or restart
Apache, so the changes are recognized.
</p><div class="sect2" title="24.2.1. Virtual Host Directives"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apparmor.hat.config.vhost"></a>24.2.1. Virtual Host Directives<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.hat.config.vhost">¶</a></span></h3></div></div></div><p>
Virtual host directives control whether requests that contain trailing
pathname information following an actual filename (or that refer to a
nonexistent file in an existing directory) are accepted or rejected. For
Apache documentation on virtual host directives, refer to
<a class="ulink" href="http://httpd.apache.org/docs/2.2/mod/core.html#virtualhost" target="_top">http://httpd.apache.org/docs/2.2/mod/core.html#virtualhost</a>.
</p><p>
The ChangeHat-specific configuration keyword is
<code class="literal">AADefaultHatName</code>. It is used similarly to
<code class="literal">AAHatName</code>, for example, <code class="literal">AADefaultHatName
My_Funky_Default_Hat</code>.
</p><p>
The configuration option is actually based on a server directive, which
enables you to use the keyword outside of other options, setting it for
the default server. Virtual hosts are considered internally within
Apache to be separate <span class="quote">“<span class="quote">servers,</span>”</span> so you can set a default
hat name for the default server as well as one for each virtual host, if
desired.
</p><p>
When a request comes in, the following steps reflect the sequence in
which <code class="literal">mod_apparmor</code> attempts to apply hats.
</p><div class="orderedlist"><ol class="orderedlist" type="1"><li><p>
A location or directory hat as specified by the
<code class="literal">AAHatName</code> keyword
</p></li><li><p>
A hat named by the entire URI path
</p></li><li><p>
A default server hat as specified by the
<code class="literal">AADefaultHatName</code> keyword
</p></li><li><p>
<code class="literal">DEFAULT_URI</code> (if none of those exist, it goes back
to the <span class="quote">“<span class="quote">parent</span>”</span> Apache hat)
</p></li></ol></div></div><div class="sect2" title="24.2.2. Location and Directory Directives"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apparmor.hat.config.directives"></a>24.2.2. Location and Directory Directives<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.hat.config.directives">¶</a></span></h3></div></div></div><p>
Location and directory directives specify hat names in the program
configuration file so the program calls the hat regarding its security.
For Apache, you can find documentation about the location and directory
directives at
<a class="ulink" href="http://httpd.apache.org/docs/2.2/sections.html" target="_top">http://httpd.apache.org/docs/2.2/sections.html</a>.
</p><p>
The location directive example below specifies that, for a given
location, <code class="literal">mod_apparmor</code> should use a specific hat:
</p><pre class="screen"><Location /foo/> AAHatName MY_HAT_NAME </Location>
</pre><p>
This tries to use <code class="literal">MY_HAT_NAME</code> for any URI beginning
with <code class="filename">/foo/</code> (<code class="filename">/foo/</code>,
<code class="filename">/foo/bar</code>,
<code class="filename">/foo/cgi/path/blah_blah/blah</code>, etc.).
</p><p>
The directory directive works similarly to the location directive,
except it refers to a path in the file system as in the following
example:
</p><pre class="screen">
<Directory "/srv/www/www.immunix.com/docs">
# Note lack of trailing slash
AAHatName immunix.com
</Directory></pre><p title="Example:"><b>Example: </b>
The program phpsysinfo is used to illustrate a location directive in
the following example. The tarball can be downloaded from
<a class="ulink" href="http://phpsysinfo.sourceforge.net" target="_top">http://phpsysinfo.sourceforge.net</a>.
</p><div class="procedure"><ol class="procedure" type="1"><li><p>
After downloading the tarball, install it into
<code class="filename">/srv/www/htdocs/phpsysinfo</code>.
</p></li><li><p>
Create <code class="filename">/etc/apache2/conf.d/phpsysinfo.conf</code> and
add the following text to it:
</p><pre class="screen">
<Location "/phpsysinfo">
AAHatName phpsysinfo
</Location></pre><p>
The following hat should then work for phpsysinfo:
</p><pre class="screen">/usr/sbin/httpd2-prefork {
...
^phpsysinfo {
#include <abstractions/bash>
#include <abstractions/nameservice>
/bin/basename ixr,
/bin/bash ixr,
/bin/df ixr,
/bin/grep ixr,
/bin/mount Ux,
/bin/sed ixr,
/dev/bus/usb/ r,
/dev/bus/usb/** r,
/dev/null w,
/dev/tty rw,
/dev/urandom r,
/etc/SuSE-release r,
/etc/ld.so.cache r,
/etc/lsb-release r,
/etc/lsb-release.d/ r,
/lib/ld-2.6.1.so ixr,
/proc/** r,
/sbin/lspci ixr,
/srv/www/htdocs/phpsysinfo/** r,
/sys/bus/pci/** r,
/sys/bus/scsi/devices/ r,
/sys/devices/** r,
/usr/bin/cut ixr,
/usr/bin/getopt ixr,
/usr/bin/head ixr,
/usr/bin/lsb_release ixr,
/usr/bin/lsscsi ixr,
/usr/bin/tr ixr,
/usr/bin/who ixr,
/usr/lib/lib*so* mr,
/usr/lib/locale/** r,
/usr/sbin/lsusb ixr,
/usr/share/locale/** r,
/usr/share/pci.ids r,
/usr/share/usb.ids r,
/var/log/apache2/access_log w,
/var/run/utmp kr,
}
}
</pre></li><li><p>
Reload Novell AppArmor profiles by entering <span class="command"><strong>rcapparmor
restart</strong></span> at a terminal window as <code class="systemitem">root</code>.
</p></li><li><p>
Restart Apache by entering <span class="command"><strong>rcapache2 restart</strong></span> at a
terminal window as <code class="systemitem">root</code>.
</p></li><li><p>
Enter <code class="filename">http://hostname/phpsysinfo/</code> into a browser
to receive the system information that phpsysinfo delivers.
</p></li><li><p>
Locate configuration errors by going to
<code class="filename">/var/log/audit/audit.log</code> or running
<span class="command"><strong>dmesg</strong></span> and looking for any rejections in the output.
</p></li></ol></div></div></div></div><div class="navfooter"><table width="100%" summary="Navigation footer" border="0" class="bctable"><tr><td width="80%"><div class="breadcrumbs"><p><a href="index.html"> Documentation</a><span class="breadcrumbs-sep"> > </span><a href="book.security.html">Security Guide</a><span class="breadcrumbs-sep"> > </span><a href="part.apparmor.html">Confining Privileges with Novell AppArmor</a><span class="breadcrumbs-sep"> > </span><strong><a accesskey="p" title="Chapter 23. Building Profiles from the Command Line" href="cha.apparmor.commandline.html"><span>◀</span></a> <a accesskey="n" title="Chapter 25. Confining Users with pam_apparmor" href="cha.apparmor.pam.html"><span>▶</span></a></strong></p></div></td></tr></table></div></body></html>
ACC SHELL 2018