3.4 Building Novell AppArmor Profiles Using the Command Line Interface

Novell AppArmor provides the ability to use a command line interface rather than the GUI to manage and configure your system security.

3.4.1 Checking the SubDomain Module Status

The SubDomain module can be in any one of three states:

Unloaded

The SubDomain module is not loaded into the kernel.

Running

The SubDomain module is loaded into the kernel and is enforcing Novell AppArmor program policies.

Stopped

The SubDomain module is loaded into the kernel, but there are no policies being enforced.

You can detect which of the three states that the SubDomain module is in by inspecting /subdomain/profiles. If cat /subdomain/profiles reports a list of profiles, Novell AppArmor is running. If it is empty and returns nothing, SubDomain is stopped. If the file does not exist, SubDomain is unloaded.

The SubDomain module can be loaded and unloaded with the standard Linux module commands such as modprobe, insmod, lsmod, and rmmod, but this approach is not recommended. Instead, it is recommended to manage Novell AppArmor through the script rcsubdomain , which can perform the following operations:

rcsubdomain start

Has different behaviors depending on the SubDomain module state. If it was unloaded, start loads the module and starts it, putting it in the running state. If it was stopped, then start causes the module to rescan the Novell AppArmor profiles usually found in /etc/subdomain.d and puts the module in the running state. If the module was already running, start reports a warning and takes no action.

rcsubdomain stop

Stops SubDomain module (if it was running) by removing all profiles from kernel memory, effectively disabling all access controls, putting the module into the stopped state. If the SubDomain module was either unloaded or already stopped, stop tries to unload the profiles again, but nothing happens.

rcsubdomain restart

Causes SubDomain module to rescan the profiles usually found in /etc/subdomain.d without unconfining running processes, adding new profiles, and removing any profiles that had been deleted from /etc/subdomain.d.

rcsubdomain kill

Unconditionally removes the SubDomain module from the kernel. This is unsafe, because unloading modules from the Linux kernel is unsafe. This command is provided only for debugging and emergencies when the module might have to be removed.

NOTE: Novell AppArmor is a powerful access control system and it is possible to lock yourself out of your own machine to the point where you have to boot the machine from rescue media (such as CD 1 of SUSE Linux) to regain control.

To prevent such a problem, always ensure that you have a running, unconfined, root login on the machine being configured when you restart the SubDomain module. If you damage your system to the point where logins are no longer possible (for example, by breaking the profile associated with the SSH daemon), you can repair the damage using your running root prompt and restarting the SubDomain module.

3.4.2 Building Novell AppArmor Profiles

The SubDomain module profile definitions are stored in the directory /etc/subdomain.d/ as plain text files.

WARNING: All files in the /etc/subdomain.d/ directory are interpreted as profiles and are loaded as such. Renaming files in that directory is not an effective way of preventing profiles from being loaded. You must remove profiles from this directory to manage them effectively.

You can use a text editor, such as vim, to access and make changes to these profiles. The following options contain detailed steps for building profiles:

Adding or Creating Novell AppArmor Profiles

Refer to Section 3.4.3, Adding or Creating a Novell AppArmor Profile

Editing Novell AppArmor Profiles

Refer to Section 3.4.4, Editing a Novell AppArmor Profile

Deleting Novell AppArmor Profiles

Refer to Section 3.4.5, Deleting a Novell AppArmor Profile

Use vim to view and edit your profile by typing vim at a terminal window. To enable syntax coloring when you edit a Novell AppArmor profile in vim, use the commands :syntax on then :set syntax=subdomain. For more information about vim and syntax coloring, refer to Subdomain.vim.

NOTE: After making changes to a profile, use the rcsubdomain restart command, described in the previous section. This command causes the Novell AppArmor to reread the profiles. For a detailed description of the syntax of these files, refer to Section 3.0, Building Novell AppArmor Profiles.

3.4.3 Adding or Creating a Novell AppArmor Profile

To add or ceate a Novell AppArmor profile for an application, you can use a systemic or stand-alone profiling method, depending on your needs.

Stand-Alone Profiling

Suitable for profiling small applications that have a finite run time, such as user client applications like mail clients. Refer to Section 3.5.1, Stand-Alone Profiling.

Systemic Profiling

Suitable for profiling large numbers of programs all at once and for profiling applications that might run for days, weeks, or continuously across reboots, such as network server applications like Web servers and mail servers. Section 3.5.2, Systemic Profiling.

3.4.4 Editing a Novell AppArmor Profile

The following steps describe the procedure for editing a Novell AppArmor profile. To better understand what makes up a profile, refer to Section 3.1, Profile Components and Syntax.

  1. If you are not currently signed in as root, type su in a terminal window.

  2. Enter the root password when prompted.

  3. To go to the directory, enter cd /etc/subdomain.d/.

  4. Enter ls to view all profiles currently installed.

  5. Open the profile to edit in a text editor, such as vim.

  6. Make the necessary changes, then save the profile.

  7. Restart Novell AppArmor by entering rcsubdomain restart in a terminal window.

3.4.5 Deleting a Novell AppArmor Profile

The following steps describe the procedure for deleting a Novell AppArmor profile.

  1. If you are not currently signed in as root, enter su in a terminal window.

  2. Enter the root password when prompted.

  3. To go to the Novell AppArmor directory, enter cd /etc/subdomain.d/.

  4. Enter ls to view all the Novell AppArmor profiles that are currently installed.

  5. Delete the profile exiting profile with rm profilename.

  6. Restart Novell AppArmor by entering rcsubdomain restart in a terminal window.