55
Two Methods of Profiling
complain /etc/subdomain.d/sbin.
program1
Each of the above commands will activate complain mode for the pro-
files/programs listed. The command can either list programs or pro-
files. If the program name does not include its entire path, then
complain
sear
ches
$PATH
f
or
t
he
pr
ogr
am.
So
f
or
i
nst
ance
“
com-
plain /usr/sbin/*
”
wi
l
l
f
i
nd
pr
of
i
l
es
associ
at
ed
wi
t
h
al
l
of
t
he
pr
o-
grams in
/usr/sbin
and put them into complain mode, and
“
complain /etc/subdomain.d/*
”
wi
l
l
put
al
l
of
t
he
pr
of
i
l
es
i
n
/etc/subdomain.d
into complain mode.
Enforce Mode
The
enforce
mode Novell AppArmor tool detects violations of Novell
AppArmor profile rules, such as the profiled program accessing files
not permitted by the profile. The violations are logged and NOT permit-
ted. Turn complain mode on when you want the Novell AppArmor pro-
files to control the access of the program that is profiled. the default
mode is for enforce mode to be turned on. enforce toggles with
com-
plain
mode.
Manually activating
enforce
mode (using the command line) adds a
f
l
ag
t
o
t
he
t
op
of
t
he
pr
of
i
l
e
so
t
hat
“
/bin/foo {
“
becomes
“
/bin/foo flags=(enforce) {
“
.
To
use
compl
ai
n
mode,
open
a
terminal window and type one of the following lines as a root user.
•
If the example program (
program1
) is in your path, type:
enforce [program1 program2 ...]
•
If the program is not in your path, you should specify the entire
path, as follows:
enforce /sbin/program1
•
If the profiles are not in
/etc/subdomain.d
, type the following to
override the default location:
enforce /path/to/profiles/ program1
•
Alternately, you can specify the profile for
program1
, as follows:
