• You can avoid adding the helper applications, such as tar and rpm, to the
/usr/
bin/mail
profile so that when
/usr/bin/mail
runs
/usr/bin/less
in
this context, the less program is far less dangerous than it would be without Novell
AppArmor protection.
In other circumstances, you might instead want to use the Profile option. This has two
effects on aa-logprof:
• The rule written into the profile uses px, which forces the transition to the child's
own profile.
• aa-logprof constructs a profile for the child and starts building it, in the same way
that it built the parent profile, by ascribing events for the child process to the child's
profile and asking the aa-logprof user questions.
Finally, you might want to grant the child process very powerful access by specifying
Unconfined. This writes
Ux
into the parent profile so that when the child runs, it runs
without any Novell AppArmor profile being applied at all, but the environment is
cleaned of some environment variables, which can alter execution behavior, before the
child inherits it. Running unconfined means running with no protection and should
only be used when absolutely required.
aa-unconfined—Identifying Unprotected Processes
The
aa-unconfined
command examines open network ports on your system,
compares that to the set of profiles loaded on your system, and reports network services
that do not have Novell AppArmor profiles. It requires
root
privilege and that it not
be confined by a Novell AppArmor profile.
aa-unconfined must be run as
root
to retrieve the process executable link from the
/proc
file system. This program is susceptible to the following race conditions:
• An unlinked executable is mishandled
• A process that dies between
netstat(8)
and further checks is mishandled
Building Profiles via the Command Line
67
