User manual NOVELL APPARMOR 2.0.1 ADMINISTRATION GUIDE
DON'T FORGET : ALWAYS READ THE USER GUIDE BEFORE BUYING !!!
If this document matches the user guide, instructions manual or user manual, feature sets, schematics you are looking for, download it now. Diplodocs provides you a fast and easy access to the user manual NOVELL APPARMOR 2.0.1. We hope that this NOVELL APPARMOR 2.0.1 user guide will be useful to you.
You may also download the following manuals related to this product:
NOVELL APPARMOR 2.0.1 ADMINISTRATION GUIDE 05-2008 (1543 ko)
Manual abstract: user guide NOVELL APPARMOR 2.0.1ADMINISTRATION GUIDE
Detailed instructions for use are in the User's Guide.
[. . . ] Novell AppArmor
2. 0. 1
November 29, 2006
www. novell. com Novell AppArmor Administration Guide
Novell AppArmor Administration Guide
Copyright © 2006 Novell, Inc. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1. 2 or any later version published by the Free Software Foundation; with the Invariant Section being this copyright notice and license. A copy of the license is included in the section entitled "GNU Free Documentation License". Novell, the Novell logo, the N logo, openSUSE, SUSE, and the SUSE "geeko" logo are registered trademarks of Novell, Inc. [. . . ] Example: an arbitrary number of path elements, including entire directories. Substitutes for the single character a, b, or c Example: a rule that matches /home[01]/*/. plan allows a program to access . plan files for users in both /home0 and /home1. [a-c] Substitutes for the single character a, b, or c.
68
Novell AppArmor Administration Guide
{ab, cd}
Expand to one rule to match ab and one rule to match cd. Example: a rule that matches /{usr, www}/pages/** to grant access to Web pages in both /usr/pages and /www/ pages.
4. 8 File Permission Access Modes
File permission access modes consist of combinations of the following nine modes: r w px Px ux Ux ix m l Read mode Write mode Discrete profile execute mode Discrete profile execute mode--clean exec Unconstrained execute mode Unconstrained execute mode--clean exec Inherit execute mode Allow PROT_EXEC with mmap(2) calls Link mode
Read Mode (r) Allows the program to have read access to the resource. Read access is required for shell scripts and other interpreted content and determines if an executing process can core dump or be attached to with ptrace(2) (ptrace(2) is used by utilities such as strace(1), ltrace(1), and gdb(1)).
Building Profiles via the Command Line
69
Write Mode (w) Allows the program to have write access to the resource. Discrete Profile Execute Mode (px) This mode requires that a discrete security profile is defined for a resource executed at a Novell AppArmor domain transition. WARNING: Using the Discrete Profile Execute Mode px does not scrub the environment of variables such as LD_PRELOAD. As a result, the calling domain may have an undue amount of influence over the callee. Discrete Profile Execute Mode (Px)--Clean Exec Px allows the named program to run in px mode, but AppArmor invokes the Linux kernel's unsafe_exec routines to scrub the environment, similar to setuid programs. See ld. so(8) for some information about setuid and setgid environment scrubbing. Unconstrained Execute Mode (ux) Allows the program to execute the resource without any Novell AppArmor profile applied to the executed resource. This mode is useful when a confined program needs to be able to perform a privileged operation, such as rebooting the machine. By placing the privileged section in another executable and granting unconstrained execution rights, it is possible to bypass the mandatory constraints imposed on all confined processes. For more information about what is constrained, see the apparmor(7) man page. WARNING: Using Unconstrained Execute Mode (ux) Use ux only in very special cases. It enables the designated child processes to be run without any AppArmor protection. As a result, the calling domain
70
Novell AppArmor Administration Guide
may have an undue amount of influence over the callee. Use this mode only if the child absolutely must be run unconfined and LD_PRELOAD must be used. Unconstrained Execute Mode (Ux)--Clean Exec Ux allows the named program to run in ux mode, but AppArmor invokes the Linux kernel's unsafe_exec routines to scrub the environment, similar to setuid programs. See ld. so(8) for some information about setuid and setgid environment scrubbing. WARNING: Using Unconstrained Execute Mode (Ux) Use Ux only in very special cases. It enables the designated child processes to be run without any AppArmor protection. [. . . ] application firewalling Novell AppArmor contains applications and limits the actions they are permitted to take. It uses privilege confinement to prevent attackers from using malicious programs on the protected server and even using trusted applications in unintended ways. attack signature Pattern in system or network activity that signals a possible virus or hacker attack. Intrusion detection systems might use attack signatures to distinguish between legitimate and potentially malicious activity. [. . . ]
DISCLAIMER TO DOWNLOAD THE USER GUIDE NOVELL APPARMOR 2.0.1
Click on "Download the user Manual" at the end of this Contract if you accept its terms, the downloading of the manual NOVELL APPARMOR 2.0.1 will begin.