Building AppArmor profiles to confine an application is very straightforward and intuitive. AppArmor ships with several tools that assist in profile creation. It does not require you to do any programming or script handling. The only task that is required from the administrator is to determine a policy of strictest access and execute permissions for each application that needs to be hardened.
Updates or modifications to the application profiles are only required if the software configuration or the desired range of activities changes. AppArmor offers intuitive tools to handle profile updates or modifications.
You are ready to build Novell AppArmor profiles after you select the programs to profile. To do so, it is important to understand the components and syntax of profiles. AppArmor profiles contain several building blocks that help build simple and reusable profile code:
#include statements are used to pull in parts of other AppArmor profiles to simplify the structure of new profiles.
Abstractions are #include statements grouped by common application tasks.
Program chunks are #include statements that contain chunks of profiles that are specific to program suites.
Capability entries are profile entries for any of the POSIX.1e Linux capabilities allowing a fine-grained control over what a confined process is allowed to do through system calls that require privileges.
Network Access Control Entries mediate network access based on the address type and family.
Local variables define shortcuts for paths.
File Access Control Entries specify the set of files an application can access.
rlimit entries set and control an application's resource limits.
For help determining the programs to profile, refer to Section 19.2, Determining Programs to Immunize. To start building AppArmor profiles with YaST, proceed to Section 22.0, Building and Managing Profiles with YaST. To build profiles using the AppArmor command line interface, proceed to Section 23.0, Building Profiles from the Command Line.