ACC SHELL
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 27. Support</title><link rel="stylesheet" href="susebooks.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="Documentation"><link rel="up" href="part.apparmor.html" title="Part IV. Confining Privileges with Novell AppArmor"><link rel="prev" href="cha.apparmor.managing.html" title="Chapter 26. Managing Profiled Applications"><link rel="next" href="cha.apparmor.glossary.html" title="Chapter 28. AppArmor Glossary"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header" border="0" class="bctable"><tr><td width="80%"><div class="breadcrumbs"><p><a href="index.html"> Documentation</a><span class="breadcrumbs-sep"> > </span><a href="book.security.html">Security Guide</a><span class="breadcrumbs-sep"> > </span><a href="part.apparmor.html">Confining Privileges with Novell AppArmor</a><span class="breadcrumbs-sep"> > </span><strong><a accesskey="p" title="Chapter 26. Managing Profiled Applications" href="cha.apparmor.managing.html"><span>◀</span></a> <a accesskey="n" title="Chapter 28. AppArmor Glossary" href="cha.apparmor.glossary.html"><span>▶</span></a></strong></p></div></td></tr></table></div><div class="chapter" title="Chapter 27. Support"><div class="titlepage"><div><div><h2 class="title"><a name="cha.apparmor.support"></a>Chapter 27. Support<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#cha.apparmor.support">¶</a></span></h2></div></div></div><div class="toc"><p><b>Contents</b></p><dl><dt><span class="sect1"><a href="cha.apparmor.support.html#sec.apparmor.support.updating">27.1. Updating Novell AppArmor Online</a></span></dt><dt><span class="sect1"><a href="cha.apparmor.support.html#sec.apparmor.support.man">27.2. Using the Man Pages</a></span></dt><dt><span class="sect1"><a href="cha.apparmor.support.html#sec.apparmor.support.info">27.3. For More Information</a></span></dt><dt><span class="sect1"><a href="cha.apparmor.support.html#sec.apparmor.support.trouble">27.4. Troubleshooting</a></span></dt><dt><span class="sect1"><a href="cha.apparmor.support.html#sec.apparmor.support.bugs">27.5. Reporting Bugs for AppArmor</a></span></dt></dl></div><p>
This chapter outlines maintenance-related tasks. Learn how to update
Novell® AppArmor and get a list of available man pages providing basic help for
using the command line tools provided by Novell AppArmor. Use the troubleshooting
section to learn about some common problems encountered with Novell AppArmor and
their solutions. Report defects or enhancement requests for Novell AppArmor
following the instructions in this chapter.
</p><div class="sect1" title="27.1. Updating Novell AppArmor Online"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.apparmor.support.updating"></a>27.1. Updating Novell AppArmor Online<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.support.updating">¶</a></span></h2></div></div></div><p>
Updates for Novell AppArmor packages are provided in the same way as any other
update for
<span>openSUSE</span>.
Retrieve and apply them exactly like for any other package that ships as
part of
<span>openSUSE</span>.
</p></div><div class="sect1" title="27.2. Using the Man Pages"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.apparmor.support.man"></a>27.2. Using the Man Pages<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.support.man">¶</a></span></h2></div></div></div><p>
There are man pages available for your use. In a terminal, enter
<span class="command"><strong>man apparmor</strong></span> to open the apparmor man page. Man pages
are distributed in sections numbered 1 through 8. Each section is
specific to a category of documentation:
</p><div class="table"><a name="id613344"></a><p class="title"><b>Table 27.1. Man Pages: Sections and Categories</b></p><div class="table-contents"><table summary="Man Pages: Sections and Categories" border="1"><colgroup><col><col></colgroup><thead><tr><th>
<p>
Section
</p>
</th><th>
<p>
Category
</p>
</th></tr></thead><tbody><tr><td>
<p>
1
</p>
</td><td>
<p>
User commands
</p>
</td></tr><tr><td>
<p>
2
</p>
</td><td>
<p>
System calls
</p>
</td></tr><tr><td>
<p>
3
</p>
</td><td>
<p>
Library functions
</p>
</td></tr><tr><td>
<p>
4
</p>
</td><td>
<p>
Device driver information
</p>
</td></tr><tr><td>
<p>
5
</p>
</td><td>
<p>
Configuration file formats
</p>
</td></tr><tr><td>
<p>
6
</p>
</td><td>
<p>
Games
</p>
</td></tr><tr><td>
<p>
7
</p>
</td><td>
<p>
High level concepts
</p>
</td></tr><tr><td>
<p>
8
</p>
</td><td>
<p>
Administrator commands
</p>
</td></tr></tbody></table></div></div><br class="table-break"><p>
The section numbers are used to distinguish man pages from each other.
For example, <code class="systemitem">exit(2)</code> describes the exit system
call, while <code class="systemitem">exit(3)</code> describes the exit C library
function.
</p><p>
The Novell AppArmor man pages are:
</p><div class="itemizedlist"><ul class="itemizedlist" type="bullet"><li class="listitem" style="list-style-type: disc"><p>
<code class="systemitem">unconfined(8)</code>
</p></li><li class="listitem" style="list-style-type: disc"><p>
<code class="systemitem">autodep(1)</code>
</p></li><li class="listitem" style="list-style-type: disc"><p>
<code class="systemitem">complain(1)</code>
</p></li><li class="listitem" style="list-style-type: disc"><p>
<code class="systemitem">enforce(1)</code>
</p></li><li class="listitem" style="list-style-type: disc"><p>
<code class="systemitem">genprof(1)</code>
</p></li><li class="listitem" style="list-style-type: disc"><p>
<code class="systemitem">logprof(1)</code>
</p></li><li class="listitem" style="list-style-type: disc"><p>
<code class="systemitem">change_hat(2)</code>
</p></li><li class="listitem" style="list-style-type: disc"><p>
<code class="systemitem">logprof.conf(5)</code>
</p></li><li class="listitem" style="list-style-type: disc"><p>
<code class="systemitem">apparmor.conf(5)</code>
</p></li><li class="listitem" style="list-style-type: disc"><p>
<code class="systemitem">apparmor.d(5)</code>
</p></li><li class="listitem" style="list-style-type: disc"><p>
<code class="systemitem">apparmor.vim(5)</code>
</p></li><li class="listitem" style="list-style-type: disc"><p>
<code class="systemitem">apparmor(7)</code>
</p></li><li class="listitem" style="list-style-type: disc"><p>
<code class="systemitem">apparmor_parser(8)</code>
</p></li></ul></div></div><div class="sect1" title="27.3. For More Information"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.apparmor.support.info"></a>27.3. For More Information<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.support.info">¶</a></span></h2></div></div></div><p>
Find more information about the AppArmor product on the Novell AppArmor product page at
Novell:
<a class="ulink" href="http://www.novell.com/linux/security/apparmor//" target="_top">http://www.novell.com/linux/security/apparmor//</a>. Find
the product documentation for Novell AppArmor, including this document, at
<a class="ulink" href="http://www.novell.com/documentation/apparmor/" target="_top">http://www.novell.com/documentation/apparmor/</a> or in the
installed system in <code class="filename">/usr/share/doc/manual</code>.
</p><p>
There are specific mailing lists for AppArmor that users can post to or join
to communicate with developers.
</p><div class="variablelist"><dl><dt><span class="term"><a class="ulink" href="mailto:apparmor-general@forge.novell.com" target="_top">apparmor-general@forge.novell.com</a>
</span></dt><dd><p>
This is a mailing list for end users of AppArmor. It is a good place for
questions about how to use AppArmor to protect your applications.
</p></dd><dt><span class="term"><a class="ulink" href="mailto:apparmor-dev@forge.novell.com" target="_top">apparmor-dev@forge.novell.com</a>
</span></dt><dd><p>
This is a developer mailing list for AppArmor developers and community
members. This list is for questions about development of core AppArmor
features—the kernel module and the profiling tools. If you are
interested in reviewing the code for AppArmor and contributing reviews or
patches, this would be the list for you.
</p></dd><dt><span class="term"><a class="ulink" href="mailto:apparmor-announce@forge.novell.com" target="_top">apparmor-announce@forge.novell.com</a>
</span></dt><dd><p>
This is a low traffic list announcing the availability of new releases
or features.
</p></dd></dl></div></div><div class="sect1" title="27.4. Troubleshooting"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.apparmor.support.trouble"></a>27.4. Troubleshooting<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.support.trouble">¶</a></span></h2></div></div></div><p>
This section lists the most common problems and error messages that may
occur using Novell AppArmor.
</p><div class="sect2" title="27.4.1. How to React to odd Application Behavior?"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apparmor.support.trouble.odd"></a>27.4.1. How to React to odd Application Behavior?<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.support.trouble.odd">¶</a></span></h3></div></div></div><p>
If you notice odd application behavior or any other type of application
problem, you should first check the reject messages in the log files to
see if AppArmor is too closely constricting your application. To check
reject messages, start <span class="guimenu">YaST</span>+<span class="guimenu">Novell AppArmor</span> and go to <span class="guimenu">AppArmor
Reports</span>. Select <span class="guimenu">View Archive</span> and
<span class="guimenu">App Aud</span> for the application audit report. You can
filter dates and times to narrow down the specific periods when the
unexpected application behavior occurred.
</p><p>
If you detect reject messages that indicate that your application or
service is too closely restricted by AppArmor, update your profile to
properly handle your use case of the application. Do this with the
<span class="guimenu">Update Profile Profile Wizard</span> in YaST, as described
in <a class="xref" href="cha.apparmor.yast.html#sec.apparmor.yast.update" title="22.5. Updating Profiles from Log Entries">Section 22.5, “Updating Profiles from Log Entries”</a>.
</p><p>
If you decide to run your application or service without AppArmor
protection, remove the application's profile from
<code class="filename">/etc/apparmor.d</code> or move it to another location.
</p></div><div class="sect2" title="27.4.2. My Profiles do not Seem to Work Anymore …"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apparmor.support.trouble.dirpath"></a>27.4.2. My Profiles do not Seem to Work Anymore …<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.support.trouble.dirpath">¶</a></span></h3></div></div></div><p>
If you have been using previous versions of AppArmor and have updated your
system (but kept your old set of profiles) you might notice some
applications which seemed to work perfectly before you updated behaving
strangely, or not working at all .
</p><p>
This version of AppArmor introduces a set of new features to the profile
syntax and the AppArmor tools that might cause trouble with older versions
of the AppArmor profiles. Those features are:
</p><div class="itemizedlist"><ul class="itemizedlist" type="bullet"><li class="listitem" style="list-style-type: disc"><p>
File Locking
</p></li><li class="listitem" style="list-style-type: disc"><p>
Network Access Control
</p></li><li class="listitem" style="list-style-type: disc"><p>
The <code class="literal">SYS_PTRACE</code> Capability
</p></li><li class="listitem" style="list-style-type: disc"><p>
Directory Path Access
</p></li></ul></div><p>
The current version of AppArmor mediates file locking and introduces a new
permission mode (<code class="literal">k</code>) for this. Applications requesting
file locking permission might misbehave or fail altogether if confined
by older profiles which do not explicitly contain permissions to lock
files. If you suspect this being the case, check the log file under
<code class="filename">/var/log/audit/audit.log</code> for entries like the
following:
</p><pre class="screen">type=APPARMOR_DENIED msg=audit(1188913493.299:9304): operation="file_lock" requested_mask="::k" denied_mask="::k" fsuid=1000 name="/home/tux/.qt/.qtrc.lock" pid=25736 profile="/usr/bin/opera"
</pre><p>
Update the profile using the YaST Update Profile Wizard or the
<span class="command"><strong>aa-logprof</strong></span> command as outlined below.
</p><p>
The new network access control syntax based on the network family and
type specification, described in
<a class="xref" href="cha.apparmor.profiles.html#sec.apparmor.profiles.nac" title="20.5. Network Access Control">Section 20.5, “Network Access Control”</a>, might cause application
misbehavior or even stop applications from working. If you notice a
network-related application behaving strangely, check the log file under
<code class="filename">/var/log/audit/audit.log</code> for entries like the
following:
</p><pre class="screen">
type=APPARMOR_DENIED msg=audit(1188894313.206:9123): operation="socket_create" family="inet" sock_type="raw" protocol=1 pid=23810 profile="/bin/ping"
</pre><p>
This log entry means that our example application,
<span class="command"><strong>/bin/ping</strong></span> in this case, failed to get AppArmor's
permission to open a network connection. This permission has to be
explicitly stated to make sure that an application has network access.
To update the profile to the new syntax, use the YaST Update Profile
Wizard or the <span class="command"><strong>aa-logprof</strong></span> command as outlined below.
</p><p>
The current kernel requires the <code class="literal">SYS_PTRACE</code>
capability, if a process tries to access files in
<code class="filename">/proc/<em class="replaceable"><code>pid</code></em>/fd/*</code>. New
profiles need an entry for the file and the capability, where old
profiles only needed the file entry. For example:
</p><pre class="screen">/proc/*/fd/** rw,</pre><p>
in the old syntax would translate to the following rules in the new
syntax:
</p><pre class="screen">capability SYS_PTRACE,
/proc/*/fd/** rw,</pre><p>
To update the profile to the new syntax, use the YaST Update Profile
Wizard or the <span class="command"><strong>aa-logprof</strong></span> command as outlined below.
</p><p>
With this version of AppArmor, a few changes have been made to the profile
rule syntax to better distinguish directory from file access. Therefore,
some rules matching both file and directory paths in the previous
version might now just match a file path. This could lead to AppArmor not
being able to access a crucial directory at all, and thus trigger
misbehavior of your application and various log messages. The following
examples highlight the most important changes to the path syntax.
</p><p>
Using the old syntax, the following rule would allow access to files and
directories in <code class="filename">/proc/net</code>. It would allow directory
access only to read the entries in the directory, but not give access to
files or directories under the directory, e.g.
<code class="filename">/proc/net/dir/foo</code> would be matched by the asterisk
(*), but as <code class="filename">foo</code> is a file or directory under
<code class="filename">dir</code>, it cannot be accessed.
</p><pre class="screen">/proc/net/* r,
</pre><p>
To get the same behavior using the new syntax, you need two rules
instead of one. The first allows access to the file under
<code class="filename">/proc/net</code> and the second allows access to
directories under <code class="filename">/proc/net</code>. Directory access can
only be used for listing the contents, not actually accessing files or
directories underneath the directory.
</p><pre class="screen">/proc/net/* r,
/proc/net/*/ r,
</pre><p>
The following rule works similarly both under the old and the new
syntax, and allows access to both files and directories under
<code class="filename">/proc/net</code>:
</p><pre class="screen">
/proc/net/** r,
</pre><p>
To distinguish file access from directory access using the above
expression in the new syntax, use the following two rules. The first one
only allows to recursively access directories under
<code class="filename">/proc/net</code> while the second one explicitly allows
for recursive file access only.
</p><pre class="screen">/proc/net/**/ r,
/proc/net/**[^/] r,</pre><p>
The following rule works similarly both under the old and the new syntax
and allows access to both files and directories beginning with
<code class="literal">foo</code> under <code class="filename">/proc/net</code>:
</p><pre class="screen">/proc/net/foo** r,</pre><p>
To distinguish file access from directory access in the new syntax and
use the <code class="literal">**</code> globbing pattern, use the following two
rules. The first one would have matched both files and directories in
the old syntax, but only matches files in the new syntax due to the
missing trailing slash. The second rule matched neither file nor
directory in the old syntax, but matches directories only in the new
syntax:
</p><pre class="screen">/proc/net/**foo r,
/proc/net/**foo/ r,
</pre><p>
The following rules illustrate how the use of the <code class="literal">?</code>
globbing pattern has changed. In the old syntax, the first rule would
have matched both files and directories (four characters, last character
could be any but a slash). In the new syntax, it matches only files
(trailing slash is missing). The second rule would match nothing in the
old profile syntax, but matches directories only in the new syntax. The
last rule matches explicitly matches a file called
<code class="filename">bar</code> under <code class="filename">/proc/net/foo?</code>.
Using the old syntax, this rule would have applied to both files and
directories:
</p><pre class="screen">/proc/net/foo? r,
/proc/net/foo?/ r,
/proc/net/foo?/bar r,
</pre><p>
To find and resolve issues related to syntax changes, take some time
after the update to check the profiles you want to keep and proceed as
follows for each application you kept the profile for:
</p><div class="procedure"><ol class="procedure" type="1"><li><p>
Make sure that AppArmor is running and that the application's profile is
loaded.
</p></li><li><p>
Start the YaST AppArmor Control Panel and put the application's profile
into complain mode. Log entries are made for any actions violating the
current profile, but the profile is not enforced and the application's
behavior not restricted.
</p></li><li><p>
Run the application covering all the tasks you need this application
to be able to perform.
</p></li><li><p>
Start the YaST Update Profile Wizard to update the application's
profile according to the log entries generated while running the
application.
</p></li><li><p>
Once the profile is updated, put it back into enforce mode via the
YaST AppArmor Control Panel.
</p></li></ol></div><p>
Using the AppArmor command line tools, you would proceed as follows:
</p><div class="procedure"><ol class="procedure" type="1"><li><p>
Put the application's profile into complain mode:
</p><pre class="screen"><span class="command"><strong>aa-complain <code class="option"><em class="replaceable"><code>/path/to/application</code></em></code></strong></span></pre></li><li><p>
Run the application.
</p></li><li><p>
Update the profile according to the log entries made while running the
application:
</p><pre class="screen"><span class="command"><strong>aa-logprof <code class="option"><em class="replaceable"><code>/path/to/application</code></em></code></strong></span>
</pre></li><li><p>
Put the resulting profile back into enforce mode:
</p><pre class="screen"><span class="command"><strong>aa-enforce <code class="option"><em class="replaceable"><code>/path/to/application</code></em></code></strong></span></pre></li></ol></div></div><div class="sect2" title="27.4.3. How to Confine KDE Applications with AppArmor?"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apparmor.support.trouble.kde"></a>27.4.3. How to Confine KDE Applications with AppArmor?<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.support.trouble.kde">¶</a></span></h3></div></div></div><p>
Currently, it is not possible to confine KDE applications to the same
extent as any other application, due to the way KDE manages its
processes.
</p><p>
If you want to confine KDE applications, choose one of the following
approaches, but note that none of them are really suited for a standard
setup:
</p><div class="variablelist"><dl><dt><span class="term">Create a Single Profile for the Entire KDE Desktop</span></dt><dd><p>
As all KDE processes are children of one parent process and AppArmor
cannot distinguish an individual application's process from the rest,
create one huge profile to confine the entire desktop all at once.
This approach is only feasible if your setup is a very limited
(kiosk-type) one. Maintaining such a profile for a standard KDE
desktop (including all of its applications) would be close to
impossible.
</p></dd><dt><span class="term">Modify KDE's process handling</span></dt><dd><p>
Using <code class="literal">KDE_EXEC_SLAVES=1</code> and
<code class="literal">KDE_IS_PRELINKED=1</code> variables force KDE to manage
its processes in a way that allows AppArmor to distinguish individual
applications from each other and apply profiles to them. This
approach might slow down your desktop considerably, as it turns off a
crucial optimization for speed. Note that the above mentioned
environment variables have to be set before KDM/XDM/GDM or startx are
started. One way to achieve this would be to add them to
<code class="filename">/etc/security/pam_env.conf</code>.
</p></dd></dl></div></div><div class="sect2" title="27.4.4. How to Resolve Issues with Apache?"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apparmor.support.trouble.apache"></a>27.4.4. How to Resolve Issues with Apache?<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.support.trouble.apache">¶</a></span></h3></div></div></div><p>
Apache is not starting properly or it is not serving Web pages and you
just installed a new module or made a configuration change. When you
install additional Apache modules (like
<code class="literal">apache2-mod_apparmor</code>) or make configuration changes
to Apache, you should profile Apache again to catch any additional rules
that need to be added to the profile.
</p></div><div class="sect2" title="27.4.5. Why are the Reports not Sent by E-Mail?"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apparmor.support.trouble.report"></a>27.4.5. Why are the Reports not Sent by E-Mail?<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.support.trouble.report">¶</a></span></h3></div></div></div><p>
When the reporting feature generates an HTML or CSV file that exceeds
the default size, the file is not sent. Mail servers have a default hard
limit for e-mail size. This limitation can impede AppArmor's ability to send
e-mails that are generated for reporting purposes. If your mail is not
arriving, this could be why. Consider the mail size limits and check the
archives if e-mails have not been received.
</p></div><div class="sect2" title="27.4.6. How to Exclude Certain Profiles from the List of Profiles Used?"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apparmor.support.trouble.ex"></a>27.4.6. How to Exclude Certain Profiles from the List of Profiles Used?<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.support.trouble.ex">¶</a></span></h3></div></div></div><p>
AppArmor always loads and applies all profiles that are available in its
profile directory (<code class="filename">/etc/apparmor.d/</code>). If you decide
not to apply a profile to a certain application, delete the appropriate
profile or move it to another location where AppArmor would not check for
it.
</p></div><div class="sect2" title="27.4.7. Can I Manage Profiles for Applications not Installed on my System?"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apparmor.support.trouble.remote"></a>27.4.7. Can I Manage Profiles for Applications not Installed on my System?<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.support.trouble.remote">¶</a></span></h3></div></div></div><p>
Managing profiles with AppArmor requires you to have access to the log of
the system on which the application is running. So you do not need to
run the application on your profile, build host as long as you have
access to the machine that runs the application. You can run the
application on one system, transfer the logs
(<code class="filename">/var/log/audit.log</code> or, if
<code class="filename">audit</code> is not installed,
<code class="filename">/var/log/messages</code>) to your profile build host and
run <span class="command"><strong>aa-logprof -f
<em class="replaceable"><code>path_to_logfile</code></em></strong></span>.
</p></div><div class="sect2" title="27.4.8. How to Spot and fix AppArmor Syntax Errors?"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apparmor.support.trouble.syntax"></a>27.4.8. How to Spot and fix AppArmor Syntax Errors?<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.support.trouble.syntax">¶</a></span></h3></div></div></div><p>
Manually editing Novell AppArmor profiles can introduce syntax errors. If you
attempt to start or restart AppArmor with syntax errors in your profiles,
error results are shown. This example shows the syntax of the entire
parser error.
</p><pre class="screen">
localhost:~ # rcapparmor start
Loading AppArmor profiles AppArmor parser error in /etc/apparmor.d/usr.sbin.squid at line 410: syntax error, unexpected TOK_ID, expecting TOK_MODE
Profile /etc/apparmor.d/usr.sbin.squid failed to load
</pre><p>
Using the AppArmor YaST tools, a graphical error message indicates which
profile contained the error and requests you to fix it.
</p><div class="informalfigure"><div class="mediaobject"><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="60%"><tr><td><img src="images/aa_syncheck.png" width="100%"></td></tr></table></div></div><p>
To fix a syntax error, log in to a terminal window as <code class="systemitem">root</code>, open
the profile, and correct the syntax. Reload the profile set with
<span class="command"><strong>rcapparmor <code class="option">reload</code></strong></span>.
</p></div></div><div class="sect1" title="27.5. Reporting Bugs for AppArmor"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.apparmor.support.bugs"></a>27.5. Reporting Bugs for AppArmor<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apparmor.support.bugs">¶</a></span></h2></div></div></div><p>
The developers of AppArmor are eager to deliver products of the highest
quality. Your feedback and your bug reports help us keep the quality
high. Whenever you encounter a bug in AppArmor, file a bug report against
this product:
</p><div class="procedure"><ol class="procedure" type="1"><li><p>
Use your Web browser to go to
<a class="ulink" href="https://bugzilla.novell.com/index.cgi" target="_top">https://bugzilla.novell.com/index.cgi</a>.
</p></li><li><p>
Enter the account data of your Novell account and click
<span class="guimenu">Login</span>
</p><p>
<span class="emphasis"><em>or</em></span>
</p><p>
Create a new Novell account as follows:
</p><ol type="a" class="substeps"><li><p>
Click <span class="guimenu">Create New Account</span> on the <span class="guimenu">Login to
Continue</span> page.
</p></li><li><p>
Provide a username and password and additional address data and click
<span class="guimenu">Create Login</span> to immediately proceed with the login
creation.
</p><p>
<span class="emphasis"><em>or</em></span>
</p><p>
Provide data on which other Novell accounts you maintain to sync all
these to one account.
</p></li></ol></li><li><p>
Check whether a problem similar to yours has already been reported by
clicking <span class="guimenu">Search Reports</span>. Use a quick search against
a given product and keyword or use the <span class="guimenu">Advanced
Search</span>.
</p></li><li><p>
If your problem has already been reported, check this bug report and
add extra information to it, if necessary.
</p></li><li><p>
If your problem has not been reported yet, select
<span class="guimenu">New</span> from the top navigation bar and proceed to the
<span class="guimenu">Enter Bug</span> page.
</p></li><li><p>
Select the product against which to file the bug. In your case, this
would be your product's release. Click <span class="guimenu">Submit</span>.
</p></li><li><p>
Select the product version, component (AppArmor in this case), hardware
platform, and severity.
</p></li><li><p>
Enter a brief headline describing your problem and add a more elaborate
description including log files. You may create attachments to your bug
report for screen shots, log files, or test cases.
</p></li><li><p>
Click <span class="guimenu">Submit</span> after you have entered all the details
to send your report to the developers.
</p></li></ol></div></div></div><div class="navfooter"><table width="100%" summary="Navigation footer" border="0" class="bctable"><tr><td width="80%"><div class="breadcrumbs"><p><a href="index.html"> Documentation</a><span class="breadcrumbs-sep"> > </span><a href="book.security.html">Security Guide</a><span class="breadcrumbs-sep"> > </span><a href="part.apparmor.html">Confining Privileges with Novell AppArmor</a><span class="breadcrumbs-sep"> > </span><strong><a accesskey="p" title="Chapter 26. Managing Profiled Applications" href="cha.apparmor.managing.html"><span>◀</span></a> <a accesskey="n" title="Chapter 28. AppArmor Glossary" href="cha.apparmor.glossary.html"><span>▶</span></a></strong></p></div></td></tr></table></div></body></html>
ACC SHELL 2018