User
’
s
Gui
de
54
and there are no other programs in that directory, then the simple com-
mand
“
autodep /path/to/your/programs/*
”
wi
l
l
cr
eat
e
nomi
nal
profiles for all programs in that directory.
using
ps
:
You can run your application, and use the standard Linux
ps
command to find all processes running. You then need to manually
hunt down the location of these programs, and run the autodep pro-
gram for each one. If the programs are in your path, then autodep will
find them for you. If they are not in your path then the standard Linux
command
locate
may be helpful in finding your programs. If
locate
does not work (it is not a default program on ceretain systems), you
can try using
find . /-name '*foo*' -print
.
Complain or Learning Mode
The
complain
or
learning
mode Novell AppArmor tool detects violations
of SubDomain profile rules, such as the profiled program accessing
files not permitted by the profile. The violations are permitted, but also
logged. To improve the profile, turn complain mode on, run the pro-
gram through a suite of tests to generate log events that characterize
t
he
pr
ogr
am’
s
access
needs,
t
hen
post
-
pr
ocess
t
he
l
og
wi
t
h
t
he
Novel
l
AppArmor tools to transform log events into improved profiles.
Manually activating
complain
mode (using the command line) adds a
f
l
ag
t
o
t
he
t
op
of
t
he
pr
of
i
l
e
so
t
hat
“
/bin/foo {
“
becomes
“
/bin/foo flags=(complain) {
“
.
To
use
compl
ai
n
mode,
open
a
terminal window and type one of the following lines as a root user.
•
If the example program (
program1
) is in your path, type:
complain [program1 program2 ...]
•
If the program is not in your path, you should specify the entire path,
as follows:
complain /sbin/program1
•
If the profiles are not in
/etc/subdomain.d
, type the following to
override the default location:
complain /path/to/profiles/ program1
•
Alternately, you can specify the profile for
program1
, as follows:
