• Specify the profile for
program1
as follows:
aa-complain /etc/apparmor.d/sbin.
program1
Each of the above commands activates the complain mode for the profiles or programs
listed. If the program name does not include its entire path, aa-complain searches
$PATH
for the program. So, for instance,
aa-complain /usr/sbin/*
finds profiles as-
sociated with all of the programs in
/usr/sbin
and put them into complain mode.
aa-complain /etc/apparmor.d/*
puts all of the profiles in
/etc/apparmor
.d
into complain mode.
aa-enforce—Entering Enforce Mode
The enforce mode detects violations of Novell AppArmor profile rules, such as the
profiled program accessing files not permitted by the profile. The violations are logged
and not permitted. The default is for enforce mode to be enabled. To log the violations
only, but still permit them, use complain mode. Enforce toggles with complain mode.
Manually activating enforce mode (using the command line) adds a flag to the top of
the profile so that
/bin/foo
becomes
/bin/foo flags=(enforce)
. To use
enforce mode, open a terminal window and enter one of the following lines as
root
.
• If the example program (
program1
) is in your path, use:
aa-enforce [
program1 program2
...]
• If the program is not in your path, specify the entire path, as follows:
aa-enforce /sbin/
program1
• If the profiles are not in
/etc/apparmor.d
, use the following to override the
default location:
aa-enforce
/path/to/profiles/program1
• Specify the profile for
program1
as follows:
aa-enforce /etc/apparmor.d/sbin.
program1
Each of the above commands activates the enforce mode for the profiles and programs
listed.
56
Novell AppArmor 2.0 Administration Guide
Summary of Contents for APPARMOR 2.0
Page 1: ...Novell AppArmor www novell com 2 0 August 28 2006 Novell AppArmor 2 0 Administration Guide ...
Page 8: ......
Page 18: ......
Page 75: ... RES_OPTIONS TMPDIR TZDIR Building Novell AppArmor Profiles 75 ...
Page 76: ......
Page 116: ......
Page 124: ......