Novell APPARMOR 1.2 ADMINISTRATION GUIDE
Novell AppArmor
www.novell.com
1.2 09/29/2005
Powered by
Immunix
Administration
Guide
Novell AppArmor Powered by Immunix 1.2 Administration Guide
Legal Notices
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specically disclaims any express or implied warranties of merchantability or tness
for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to
make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and
specically disclaims any express or implied warranties of merchantability or tness for any particular
purpose. Further, Novell, Inc. reserves the right to make changes toany and all parts of Novell software,
at any time, without any obligation to notify any person or entity of such changes.
You may not use, export, or re-export this product in violation of any applicable laws or regulations
including, without limitation, U.S. export regulations or the laws of the country in which you reside.
Copyright © 2000 - 2004, 2005 Novell, Inc. All rights reserved. No part of this publication may be
reproduced, photocopied, stored on a retrieval system, or transmitted without the express written
consent of the publisher.
Novell, Inc. has intellectual property rights relating to technology embodied in the product that is
described in this document. In particular, and without limitation, these intellectual property rights
may include one or more of the U.S. patents listed at http://www.novell.com/company/
legal/patents/ and one or more additional patents or pending patent applications in the U.S.
and in other countries.
Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
www.novell.com
Online Documentation: To access the online documentation for this and other Novell products, and
to get updates, see www.novell.com/documentation.
Novell Trademarks
AppArmor is a registered trademark of Novell, Inc. in the United States and other countries.
Immunix is a trademark of Novell, Inc. in the United States and other countries.
Novell is a registered trademark of Novell, Inc. in the United States and other countries.
SUSE is a registered trademark of SUSE LINUX Products GmbH, a Novell business.
Third-Party Materials
All third-party trademarks are the property of their respective owners.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL INTEL OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
Contents
Introduction to Novell AppArmor vii
1 Immunizing Programs 13
2 Selecting Programs to Immunize 15
2.1 Immunize Programs That Grant Privilege . . . . . . . . . . . . . . . 15
2.2 Inspect Open Ports to Immunize Programs . . . . . . . . . . . . . . 16
3 Building Novell AppArmor Proles 21
3.1 Prole Components and Syntax . . . . . . . . . . . . . . . . . . . 21
3.2 Building and Managing Novell AppArmor Proles . . . . . . . . . . . 24
3.3 Building Novell AppArmor Proles with the YaST GUI . . . . . . . . . . 26
3.4 Building Novell AppArmor Proles Using the Command Line Interface . . 49
3.5 Two Methods of Proling . . . . . . . . . . . . . . . . . . . . . . 54
3.6 Pathnames and Globbing . . . . . . . . . . . . . . . . . . . . . . 73
3.7 File Permission Access Modes . . . . . . . . . . . . . . . . . . . . 74
4 Managing Proled Applications 77
4.1 Monitoring Your Secured Applications . . . . . . . . . . . . . . . . 77
4.2 Setting Up Event Notication . . . . . . . . . . . . . . . . . . . . 78
4.3 Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
4.4 Reacting to Security Events . . . . . . . . . . . . . . . . . . . . 102
4.5 Maintaining Your Security Proles . . . . . . . . . . . . . . . . . 103
5 Proling Your Web Applications Using ChangeHat Apache 105
5.1 Apache ChangeHat . . . . . . . . . . . . . . . . . . . . . . . . 106
5.2 Apache Conguration for mod_change_hat . . . . . . . . . . . . . 113
6 Support 117
6.1 Updating Novell AppArmor Online . . . . . . . . . . . . . . . . . 117
6.2 Using the Man Pages . . . . . . . . . . . . . . . . . . . . . . . 117
6.3 For More Information . . . . . . . . . . . . . . . . . . . . . . 119
6.4 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . 119
6.5 Support for SUSE Linux . . . . . . . . . . . . . . . . . . . . . . 121
6.6 Reporting Bugs for AppArmor . . . . . . . . . . . . . . . . . . . 126
Glossary 129
vi
Introduction to Novell AppArmor
Novell® AppArmor Powered by Immunix is designed to provide easy-to-use application
security for both servers and workstations. Novell AppArmor is an access control system
that lets you specify per program which les the program may read, write, and execute.
AppArmor secures applications by enforcing good application behavior without relying
on attack signatures, so can prevent attacks even if they are exploiting previously unknown vulnerabilities.
Novell AppArmor consists of:
• A library of AppArmor proles for common Linux* applications describing what
les the program needs to access.
• A library of AppArmor prole foundation classes (prole building blocks) needed
for common application activities, such as DNS lookup and user authentication.
• A tool suite for developing and enhancing AppArmor proles, so that you can
change the existing proles to suit your needs and create new proles for your own
local and custom applications.
• Several specially modied applications that are AppArmor enabled to provide enhanced security in the form of unique subprocess connement, including Apache.
• The Novell AppArmor–loadable kernel module and associated control scripts to
enforce AppArmor policies on your SUSE® Linux system.
NOTE
Some distributions of SUSE Linux include a version of AppArmor that enforce
policies for a limited set of programs. These policies can be modied to suit
your particular environment using the included AppArmor tool set. To create
AppArmor proles for additional programs, an upgrade to the full version of
AppArmor is required.
1 Documentation Conventions
The following typographical conventions are used in this manual:
Menu Items, Field Names, and Screen Titles in GUIs
When using GUIs, eld names, menu and screen titles, and eld values are shown
as File.
Keys
Key names are listed as they appear on your keyboard, as in Enter and Esc .
Command
Linux commands (and other operating system commands, when used) are represented this way. This style should indicate to you that you can type the word
or phrase on the command line and press Enter to run the command.
Example 1
To use ls to view the contents in the current directory, enter ls in a terminal
window.
Filename
Filenames, directory names, paths, and RPM package names are represented this
way. This style should indicate that a particular le or directory exists by that name
on your Linux system.
Placeholders
Replace placeholder with the actual value that matches your setup.
Examples, Notes, and Warnings
Examples use Example: when appropriate. Notes and pertinent information are
shown with a Note or Warning ag, as in:
NOTE
Notes highlight information that might help better understand previous
paragraphs. Warnings provide important information that might seriously
affect the integrity of the product or your data.
Command Environment
viii
Computer Output
When you see text in this style, it indicates text displayed by the computer
on the command line. You see responses to typed commands, error messages, and
interactive prompts for your input during scripts or programs shown this way.
Example 2
Use the ls command to display the contents of a directory:
$ ls
Desktop about.html logs
Mail backupfiles mail
Trademarks
A trademark symbol (®, etc.) denotes a Novell trademark. An asterisk (*) denotes
a third-party trademark.
Computer Output
2 Understanding This Guide
Immunizing Programs
Describes operation of Novell AppArmor Powered by Immunix.
Selecting Programs to Immunize
Describes the types of programs that should have Novell AppArmor proles created
for them.
Building Novell AppArmor Proles
Describes how to use the Novell AppArmor tools to immunize your own programs
and third-party programs that you may have installed on your SUSE Linux system.
It also helps you to add, edit, or delete proles that have been created for your applications.
Managing Proled Applications
Describes how to perform Novell AppArmor prole maintenance, which involves
tracking common issues and concerns.
Proling Your Web Applications Using ChangeHat Apache
Enables you to create subproles for the Apache Web server that allow you to
tightly conne small sections of Web application processing.
Introduction to Novell AppArmor ix
Support
Indicates support options for this product.
Glossary
Provides a list of terms and their denitions.
3 Getting Started with Novell
AppArmor
Novell AppArmor Powered by Immunix (Novell AppArmor) provides you with technologies to protect your applications from their own vulnerabilities by creating Novell
AppArmor proles for applications on your SUSE Linux system.
3.1 Launching Novell AppArmor through the YaST GUI
SUSE Linux offers the utility YaST. Using YaST, you can launch the Novell AppArmor
interface. This is the recommended method for a novice Linux user. For the other
available methods, refer to Section 3.2, “Building and Managing Novell AppArmor
Proles” (page 24).
To start YaST, select System → Control Center (YaST) from the SUSE menu.
•
YaST is launched as shown in Section 3.2, “Novell AppArmor Basics” (page x),
below. You can refer to this section to navigate in Novell AppArmor.
NOTE
Alternately, you can launch the YaST GUI by opening a terminal window then
entering yast2 while logged in as root.
3.2 Novell AppArmor Basics
Novell AppArmor enables you to manage proles through a simple user interface.
x
In the YaST Control Center, click Novell AppArmor in the left pane. The right from
then shows the different Novell AppArmor conguration option. Select the appropriate
Novell AppArmor conguration option by clicking the corresponding icon.
Depending on the conguration option you select, refer to one of the following locations
in this guide:
Add Prole Wizard
For detailed steps, refer to Section 3.3.1, “Adding a Prole Using the Wizard”
(page 27).
AppArmor Reports
For detailed steps, refer to Section 4.3, “Reports” (page 81).
Edit Prole
Edit an existing Novell AppArmor prole on your system. For detailed steps, refer
to Section 3.3.3, “Editing a Prole” (page 39).
Update Prole Wizard
For detailed steps, refer to Section 3.3.5, “Updating Proles from Syslog Entries”
(page 42).
Introduction to Novell AppArmor xi
AppArmor Control Panel
For detailed steps, refer to Section 3.3.6, “Managing Novell AppArmor and Secu-
rity Event Status” (page 47).
Delete Prole
Delete an existing Novell AppArmor prole from your system. For detailed steps,
refer to Section 3.3.4, “Deleting a Prole” (page 41).
Manually Add Prole
Add a Novell AppArmor prole for an application on your system without the help
of the wizard. For detailed steps, refer to Section 3.3.2, “Manually Adding a Prole”
(page 34).
xii
Immunizing Programs
Novell® AppArmor provides immunization technologies that protect SUSE Linux applications from the inherent vulnerabilities they possess. After installing Novell AppArmor, setting up Novell AppArmor proles and rebooting the computer, your system
becomes immunized because it begins to enforce the Novell AppArmor security policies.
Protecting programs with Novell AppArmor is referred to as immunizing.
Novell AppArmor sets up a collection of default application proles to protect standard
Linux services. To protect other applications, use the Novell AppArmor tools to create
proles for the applications that you want protected. This chapter introduces you to the
philosophy of immunizing programs. Proceed to Chapter 3, Building Novell AppArmor
Proles (page 21) if you are ready to build and manage Novell AppArmor proles.
Novell AppArmor provides streamlined access control for network services by specifying
which les each program is allowed to read, write, and execute. This ensures that each
program does what it is supposed to do and nothing else.
Novell AppArmor is host intrusion prevention, or a mandatory access control scheme,
that is optimized for servers. Previously, access control schemes were centered around
users because they were built for large timeshare systems. Alternatively, modern network
servers largely do not permit users to log in, but instead provide a variety of network
services for users, such as Web, mail, le, and print. Novell AppArmor controls the
access given to network services and other programs to prevent weaknesses from being
exploited.
1
Immunizing Programs 13
Selecting Programs to Immunize
Novell® AppArmor quarantines programs to protect the rest of the system from being
damaged by a compromised process. You should inspect your ports to see which programs should be proled (refer to Section 2.2, “Inspect Open Ports to Immunize Pro-
grams” (page 16)) and prole all programs that grant privilege (Section 2.1, “Immunize
Programs That Grant Privilege” (page 15)).
2.1 Immunize Programs That Grant Privilege
Programs that need proling are those that mediate privilege. The following programs
have access to resources that the person using the program does not have, so they grant
the privilege to the user when used:
cron jobs
Programs that are run periodically by cron. Such programs read input from a variety
of sources and can run with special privileges, sometimes with as much as root
privilege. For example, cron can run /usr/bin/updatedb daily to keep the
locate database up to date with sufcient privilege to read the name of every le
in the system. For instructions for nding these types of programs, refer to Sec-
tion 2.2.1, “Immunizing Cron Jobs” (page 18).
2
Web Applications
Programs that can be invoked through a Web browser, including CGI Perl scripts,
PHP pages, and more complex Web applications. For instructions on nding these
Selecting Programs to Immunize 15
types of programs, refer to Section 2.2.2, “Immunizing Web Applications”
(page 18).
Network Agents
Programs (servers and clients) that have open network ports. User clients such as
mail clients and Web browsers, surprisingly, mediate privilege. These programs
run with the privilege to write to the user's home directories and they process input
from potentially hostile remote sources, such as hostile Web sites and e-mailed
malicious code. For instructions on nding these types of programs, refer to Sec-
tion 2.2.3, “Immunizing Network Agents” (page 20).
Conversely, unprivileged programs do not need to be proled. For instance, a shell
script might invoke the cp program to copy a le. Because cp does not have its own
prole, it inherits the prole of the parent shell script, so can copy any les that the
parent shell script's prole can read and write.
2.2 Inspect Open Ports to Immunize Programs
An automated method for nding network server daemons that should be proled is to
use the unconned tool. You can also simply view a report of this information in the
YaST GUI (refer to Section “Application Audit Report” (page 88) for instructions).
16
The unconned tool uses the command netstat -nlp to inspect your open ports
from inside your computer, detect the programs associated with those ports, and inspect
the set of Novell AppArmor proles that you have loaded. Unconned then reports
these programs along with the Novell AppArmor prole associated with each program,
or reports “none” if the program is not conned.
NOTE
If you create a new prole, you must restart the program that has been proled
for unconned to detect and report the new proled state.
Below is a sample unconned output:
2325 /sbin/portmap not confined
3702❶ /usr/sbin/sshd❷ confined by '/usr/sbin/sshd❸ (enforce)'
4040 /usr/sbin/ntpd confined by '/usr/sbin/ntpd (enforce)'
4373 /usr/lib/postfix/master confined by '/usr/lib/postfix/master (enforce)'
4505 /usr/sbin/httpd2-prefork confined by '/usr/sbin/httpd2-prefork (enforce)'
5274 /sbin/dhcpcd not confined
5592 /usr/bin/ssh not confined
7146 /usr/sbin/cupsd confined by '/usr/sbin/cupsd (complain)'
The rst portion is a number. This number is the process ID number (PID) of the
❶
listening program.
The second portion is a string that represents the absolute path of the listening
❷
program
The nal portion indicates the prole conning the program, if any.
❸
NOTE
Unconned requires root privileges and should not be run from a shell that is
conned by an AppArmor prole.
Unconned does not distinguish between one network interface and another, so it reports
all unconned processes, even those that might be listening to an internal LAN interface.
Finding user network client applications is dependent on your user preferences. The
unconned tool detects and reports network ports opened by client applications, but
only those client applications that are running at the time the unconned analysis is
performed. This is a problem because network services tend to be running all the time,
while network client applications tend only to be running when the user is interested
in them.
Applying Novell AppArmor proles to user network client applications is also dependent
on user preferences, and Novell AppArmor is intended for servers rather than workstations. Therefore, we leave proling of user network client applications as an exercise
for the user.
To aggressively conne desktop applications, the unconned command supports a
paranoid option, which reports all processes running and the corresponding AppArmor
proles that might or might not be associated with each process. The unconned user
can then decide whether each of these programs needs an AppArmor prole.
Additional proles can be traded with other users and with the Novell® security development team on the user mailing list at http://mail.wirex.com/mailman/
listinfo/immunix-users.
Selecting Programs to Immunize 17
2.2.1 Immunizing Cron Jobs
To nd programs that are run by cron, you need to inspect your local cron conguration.
Unfortunately, cron conguration is rather complex, so there are numerous les to inspect. Periodic cron jobs are run from these les:
/etc/crontab
/etc/cron.d/*
/etc/cron.daily/*
/etc/cron.hourly/*
/etc/cron.monthly/*
/etc/cron.weekly/*
For root's cron jobs, you can edit the tasks with crontab -e and list root's cron tasks
with crontab -l. You must be root for these to work.
Once you nd these programs, you can use the Add Prole Wizard to create proles
for them. Refer to Section 3.3.1, “Adding a Prole Using the Wizard” (page 27).
2.2.2 Immunizing Web Applications
To nd Web applications, you should investigate your Web server conguration. The
Apache Web server is highly congurable and Web applications can be stored in many
directories, depending on your local conguration. SUSE Linux,by default, stores Web
applications in /srv/www/cgi-bin/. To the maximum extent possible, each Web
application should have an Novell AppArmor prole.
18
Once you nd these programs, you can use the AppArmor Add Prole Wizard to create
proles for them. Refer to Section 3.3.1, “Adding a Prole Using the Wizard” (page 27).
CGI Programs and Subprocess Connement in Web
Applications
Because CGI programs are executed by the Apache Web server, the prole for Apache
itself usr.sbin.httpd2-prefork (for Apache2 on SUSE Linux) must be modied
to add execute permissions to each of these programs. For instance, adding the line
/srv/www/cgi-bin/my_hit_counter.pl rpx grants Apache permission to
execute the Perl script my_hit_counter.pl and requires that there be a dedicated
prole for my_hit_counter.pl. If my_hit_counter.pl does not have a ded-
icated prole associated with it, the rule should say
/srv/www/cgi-bin/my_hit_counter.pl rix to cause my_hit_counter
.pl to inherit the usr.sbin.httpd2-prefork prole.
Some users might nd it inconvenient to specify execute permission for every CGI
script that Apache might invoke. Instead, the administrator can grant controlled access
to collections of CGI scripts. For instance, adding the line
/srv/www/cgi-bin/*.{pl,py,pyc} rix allows Apache to execute all les
in /srv/www/cgi-bin/ ending in .pl (Perl scripts) and .py or .pyc (Python
scripts). As above, the ix part of the rule causes the Python scripts to inherit the Apache
prole, which is appropriate if you do not want to write individual proles for each
Python script.
NOTE
If you want the subprocess connement module (mod_change_hat) functionality when Web applications handle Apache modules (mod_perl and mod
_php), use the ChangeHat features when you add a prole in YaST or at the
command line. To take advantage of the subprocess connement, refer to
Section 5.1, “Apache ChangeHat” (page 106).
Proling Web applications that use mod_perl and mod_php require slightly different
handling. In this case, the “program” is a script interpreted directly by the module
within the Apache process, so no exec happens. Instead, the Novell AppArmor version
of Apache calls change_hat() naming a subprole (a “hat”) corresponding to the
name of the URI requested.
NOTE
The name presented for the script to execute might not be the URI, depending
on how Apache has been congured for where to look for module scripts. If
you have congured your Apache to place scripts in a different place, the different names appear in syslog when Novell AppArmor complains about access
violations. See Chapter 4, Managing Proled Applications (page 77).
For mod_perl and mod_php scripts, this is the name of the Perl script or the PHP
page requested. For example, adding this subprole allows the localtime.php page to
execute and access the local system time:
Selecting Programs to Immunize 19
/usr/sbin/httpd2-prefork^/cgi-bin
localtime.php {
/etc/localtime r,
/srv/www/cgi-bin/localtime.php r,
/usr/lib/locale/** r,
}
If no subprole has been dened, the Novell AppArmor version of Apache applies the
DEFAULT_URI hat. This subprole is basically sufcient to display an HTML Web
page. The DEFAULT_URI hat that Novell AppArmor provides by default is the following:
/usr/sbin/suexec2 ixr,
/var/log/apache2/** rwl,
/home/*/public_html/** r,
/srv/www/htdocs/** r,
/srv/www/icons/*.{gif,jpg,png} r,
/usr/share/apache2/** r,
If you want a single Novell AppArmor prole for all Web pages and CGI scripts served
by Apache, a good approach is to edit the DEFAULT_URI subprole.
2.2.3 Immunizing Network Agents
To nd network server daemons that should be proled, you should inspect the open
ports on your machine, consider the programs that are answering on those ports, and
provide proles for as many of those programs as possible. If you provide proles for
all programs with open network ports, an attacker cannot get to the le system on your
machine without passing through a Novell AppArmor prole policy.
20
Scan your server for open network ports manually from outside the machine using a
scanner, such as nmap, or from inside the machine using netstat. Then inspect the machine to determine which programs are answering on the discovered open ports.
Building Novell AppArmor Proles
This chapter explains how to build and manage Novell® AppArmor proles. You are
ready to build Novell AppArmor proles after you select the programs to prole. For
help with this, refer to Chapter 2, Selecting Programs to Immunize (page 15).
3.1 Prole Components and Syntax
This section details the syntax or makeup of Novell AppArmor proles. An example
illustrating this syntax is presented in Section 3.1.1, “Breaking a Novell AppArmor
Prole into Its Parts” (page 21).
3.1.1 Breaking a Novell AppArmor Prole
into Its Parts
Novell AppArmor prole components are called Novell AppArmor rules. Currently
there are two main types of Novell AppArmor rules, path entries and capability entries.
Path entries specify what the process can access in the le system and capability entries
provide a more ne-grained control over what a conned process is allowed to do
through other system calls that require privileges. Includes are a type of meta rule or
directives that pull in path and capability entries from other les.
3
The easiest way of explaining what a prole consists of and how to create one is to
show the details of a sample prole. Consider, for example, the following prole for
the program /sbin/klogd:
Building Novell AppArmor Proles 21
# profile to confine klogd❶
/sbin/klogd ❷
{❸
#include <abstractions/base>❹
capability sys_admin,❺
/boot/* r❻,
/proc/kmsg r,
/sbin/klogd r,
/var/run/klogd.pid lw,
}
A comment naming the program that is conned by this prole. Always precede
❶
comments like this with the # sign.
The absolute path to the program that is conned.
❷
The curly braces {} serve as a container for include statements of other proles
❸
as well as for path and capability entries.
This directive pulls in components of Novell AppArmor proles to simplify pro-
❹
les.
Capability entry statements enable each of the 29 POSIX.1e draft capabilities.
❺
A path entry specifying what areas of the le system the program can access. The
❻
rst part of a path entry species the absolute path of a le (including regular
expression globbing) and the second part indicates permissible access modes (r
for read, w for write, and x for execute). A white space of any kind (spaces or
tabs) can precede pathnames or separate the pathname from the access modes.
White space between the access mode and the trailing comma is optional.
22
When a prole is created for a program, the program can access only the les, modes,
and POSIX capabilities specied in the prole. These restrictions are in addition to the
native Linux access controls.
Example: To gain the capability CAP_CHOWN, the program must have both access
to CAP_CHOWN under conventional Linux access controls (typically, be a root-owned
process) and have capability chown in its prole. Similarly, to be able to write to the
le /foo/bar the program must have both the correct user ID and mode bits set in
the les attributes (see the chmod and chown man pages) and have /foo/bar w in
its prole.
Attempts to violate Novell AppArmor rules are recorded in syslog. In many cases,
Novell AppArmor rules prevent an attack from working because necessary les are not
accessible and, in all cases, Novell AppArmor connement restricts the damage that
the attacker can do to the set of les permitted by Novell AppArmor.
3.1.2 #include
#include statements are directives that pull in components of other Novell AppArmor proles to simplify proles. Include les fetch access permissions for programs. By using an include, you can give the program access to directory paths or les that are also required by other programs. Using includes can reduce the size of a prole.
By default, the #include statement appends /etc/subdomain.d/, which is
where it expects to nd the include le, to the beginning of the pathname. Unlike other
prole statements (but similar to C programs), #include lines do not end with a
comma.
To assist you in proling your applications, Novell AppArmor provides two classes of
#includes, abstractions, and program chunks.
Abstractions
Abstractions are #includes that are grouped by common application tasks. These
tasks include access to authentication mechanisms, access to name service routines,
common graphics requirements, and system accounting. Files listed in these abstractions
are specic to the named task; programs that require one of these les usually require
some of the other les listed in the abstraction le (depending on the local conguration
as well as the specic requirements of the program). Abstractions can be found in
/etc/subdomain.d/abstractions/.
Program Chunks
Program chunks are access controls for specic programs that a system administrator
might want to control based on local site policy. Each chunk is used by a single program.
These are provided to ease local-site modications to policy and updates to policy
provided by Novell AppArmor. Administrators can modify policy in these les to suit
their own needs and leave the program proles unmodied, simplifying the task of
merging policy updates from Novell AppArmor into enforced policy at each site.
Building Novell AppArmor Proles 23
The access restrictions in the program chunks are typically very liberal and are designed
to allow your users access to their les in the least intrusive way possible while still
allowing system resources to be protected. An exception to this rule is the postfix*
series of program chunks. These proles are used to help abstract the location of the
postx binaries. You probably do not want to reduce the permissions in the postfix*
series. Programchunks can be found in /etc/subdomain.d/program-chunks/
.
3.1.3 Capability Entries (POSIX.1e)
Capabilities statements are simply the word “capability” followed by the name of the
POSIX.1e capability as dened in the capabilities(7) man page.
3.2 Building and Managing Novell
AppArmor Proles
There are three ways you can build and manage Novell AppArmor proles, depending
on the type of computer environment you prefer. You can use the graphical YaST interface (YaST GUI), the text-based YaST ncurses mode (YaST ncurses), or the command
line interface. All three options are effective for creating and maintaining proles while
offering need-based options for users.
24
The command line interface requires knowledge of Linux commands and using terminal
windows. All three methods use specialized Novell AppArmor tools for creating the
proles so you do not need to do it manually, which would be quite time consuming.
3.2.1 Using the YaST GUI
To use the YaST GUI for building and managing Novell AppArmor proles, refer to
Section 3.3, “Building Novell AppArmor Proles with the YaST GUI” (page 26).
3.2.2 Using YaST ncurses
YaST ncurses can be used for building and managing Novell AppArmor proles and
is better suited for users with limited bandwidth connections to their server. Access
YaST ncurses by typing yast while logged in to a terminal window or console as root.
YaST ncurses has the same features as the YaST GUI.
Refer to the instructions in Section 3.3, “Building Novell AppArmor Proles with the
YaST GUI” (page 26) to build and manage Novell AppArmor proles in YaST
ncurses, but be aware that the screens look different but function similarly.
3.2.3 Using the Command Line Interface
The command line interface requires knowledge of Linux commands and using terminal
windows. To use the command line interface for building and managing Novell AppArmor proles, refer to Section 3.4, “Building Novell AppArmor Proles Using the
Command Line Interface” (page 49).
The command line interface offers access to a few tools that are not available using the
other Novell AppArmor managing methods:
complain
Sets proles into complain mode. Set it back to enforce mode when you want the
system to begin enforcing the rules of the proles, not just logging information.
For more information about this tool, refer to Section “Complain or Learning Mode”
(page 58).
enforce
Sets proles back to enforce mode and the system begins enforcing the rules of
the proles, not just logging information. For more information about this tool,
refer to Section “Enforce Mode” (page 59).
unconned
Performs a server audit to nd processes that are running and listening for network
connections then reports whether they are proled.
autodep
Generates a prole skeleton for a program and loads it into the Novell AppArmor
module in complain mode.
Building Novell AppArmor Proles 25
3.3 Building Novell AppArmor
Proles with the YaST GUI
Open the YaST GUI displays from the SUSE menu with System → YaST → Novell
AppArmor. Novell AppArmor opens in the YaST interface as shown below:
NOTE
You can also access the YaST GUI by opening a terminal window, logging in as
root, and entering yast2.
26
In the right frame, yousee several Novell AppArmor option icons. If Novell AppArmor
does not display in the left frame of the YaST window or if the Novell AppArmor icons
do not display, you might want to reinstall Novell AppArmor. The following actions
are available from Novell AppArmor.
Click one of the following Novell AppArmor icons and proceed to the section referenced
below:
Add Prole Wizard
For detailed steps, refer to Section 3.3.1, “Adding a Prole Using the Wizard”
(page 27).
Manually Add Prole
Add a Novell AppArmor prole for an application on your system without the help
of the wizard. For detailed steps, refer to Section 3.3.2, “Manually Adding a Prole”
(page 34).
Edit Prole
Edits an existing Novell AppArmor prole on your system. For detailed steps, refer
to Section 3.3.3, “Editing a Prole” (page 39).
Delete Prole
Deletes an existing Novell AppArmor prole from your system. For detailed steps,
refer to Section 3.3.4, “Deleting a Prole” (page 41).
Update Prole Wizard
For detailed steps, refer to Section 3.3.5, “Updating Proles from Syslog Entries”
(page 42).
AppArmor Reports
For detailed steps, refer to Section 4.3, “Reports” (page 81).
AppArmor Control Panel
For detailed steps, refer to Section 3.3.6, “Managing Novell AppArmor and Secu-
rity Event Status” (page 47).
3.3.1 Adding a Prole Using the Wizard
The Add Prole Wizard is designed to set up Novell AppArmor proles using the
Novell AppArmor proling tools, genprof (Generate Prole) and logprof (Update
Proles From Learning Mode Log File). For more information about these tools, refer
to Section 3.5.3, “Summary of Proling Tools” (page 56).
Stop the application before proling it to ensure that the application start-up is
1
included in the prole. To do this, make sure that the application or daemon is
not running prior to proling it.
Building Novell AppArmor Proles 27
For example, enter /etc/init.d/PROGRAM stop in a terminal window
while logged in as root, replacing PROGRAM is the name of the program to prole.
If you have not done so already, in the YaST GUI, click Novell AppArmor →
2
Add Prole Wizard.
Enter the name of the application or browse to the location of the program.
3
28
Click Create. This runs a Novell AppArmor tool named autodep, which performs
4
a static analysis of the program to prole and loads an approximate prole into
Novell AppArmor module. For more information about autodep, refer to Section
“autodep” (page 57).
The AppArmor Proling Wizard window opens.
In the background, Novell AppArmor also sets the prole to learning mode. For
more information about learning mode, refer to Section “Complain or Learning
Mode” (page 58).
Run the application that is being proled.
5
Perform as many of the application functions as possible so learning mode can
6
log the les and directories to which the program requires access to function
properly.
Click Scan System Log for Entries to Add to Prole to parse the learning mode
7
log les. This generates a series of questions that you must answer to guide the
wizard in generating the security prole.
NOTE
If requests to add hats appear, proceed to Chapter 5, Proling Your Web
Applications Using ChangeHat Apache (page 105).
The questions fall into two categories:
Building Novell AppArmor Proles 29
• A resource is requested by a proled program that is not in the prole (see
Figure 3.1, “Learning Mode Exception: Controlling Access to Specic Resources” (page 30)). The learning mode exception requires you to allow or
deny access to a specic resource.
• A program is executed by the proled program and the security domain
transition has not been dened (see Figure 3.2, “Learning Mode Exception:
Dening Execute Permissions for an Entry” (page 31)). The learning mode
exception requires you to dene execute permissions for an entry.
Each of these cases results in a series of questions that you must answer to add
the resource to the prole or to add the program into the prole. The following
two gures show an example of each case. Subsequent steps describe your options
in answering these questions.
The AppArmor Proling Wizard window opens.
Figure 3.1
Learning Mode Exception: Controlling Access to Specic Resources
30
Loading...