Directories
If all of the programs you want to profile are in a directory and there are no other
programs in that directory, the simple command
aa-autodep
/path/to/your/programs/*
creates nominal profiles for all programs in
that directory.
ps command
You can run your application and use the standard Linux
ps
command to find all
processes running. Then manually hunt down the location of these programs and
run the aa-autodep program for each one. If the programs are in your path, aa-au-
todep finds them for you. If they are not in your path, the standard Linux command
find
might be helpful in finding your programs. Execute
find / -name
'*foo*' -print
to determine an application's path (
*foo*
being an example
application).
aa-complain—Entering Complain or Learning Mode
The complain or learning mode tool (aa-complain) detects violations of Novell App-
Armor profile rules, such as the profiled program accessing files not permitted by the
profile. The violations are permitted, but also logged. To improve the profile, turn
complain mode on, run the program through a suite of tests to generate log events that
characterize the program's access needs, then postprocess the log with the Novell
AppArmor tools to transform log events into improved profiles.
Manually activating complain mode (using the command line) adds a flag to the top of
the profile so that
/bin/foo
becomes
/bin/foo flags=(complain)
. To use
complain mode, open a terminal window and enter one of the following lines as
root
:
• If the example program (
program1
) is in your path, use:
aa-complain [
program1 program2
...]
• If the program is not in your path, specify the entire path as follows:
aa-complain /sbin/
program1
• If the profiles are not in
/etc/apparmor.d
, use the following to override the
default location:
aa-complain
/path/to/profiles/ program1
Building Profiles via the Command Line
53
