On Jan 10, 2006, at 10:22 AM, Andreas Jaeger wrote:
"Joseph M. Gaffney" <[EMAIL PROTECTED]> writes:
Excellent news... do we know if it will it be enabled by default,
like SELinux
on many other distros?
I plan to install the packages by default if you do a basic
installation.
Enabling of the profiles is something I'd like to see in the end - the
question is whether the profiles can be preconfigured in such a way
that the users do not need to make additional changes to have a
working and secured system. So, for beta1 I plan to not enable it by
default and hope that people enable for testing and report back.
But let's ask the AppArmor developers on what they think and how to
help them best,
Andreas
--
Andreas Jaeger, [EMAIL PROTECTED], http://www.suse.de/~aj
SUSE Linux Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272
A126
Hi All,
The current profile set is defined for the SUSE 10.0 era
application set - we shall start the process to update the profiles
after beta1. As soon as we have stable profiles that we have
validated against the 10.1 application set we want to enable AppArmor
in the default install.
You can help with this effort by testing an existing profile - or
creating a new profile.
The following is an overview - there is detailed coverage of this
process in the Novell AppArmor Administrators guide (online http://
www.opensuse.org/Documentation)
* Testing an existing profile:
1. Enable AppArmor
It is a service that can be started like any other:
"rcsubdomain start"
2. Restarting your application (e.g. apache, postfix)
3. Run your application
4. Update the profiles by running the update tools:
- "logprof" is a command line tool that should be run as root
- "YaST -> Novell AppArmor -> Update Profile Wizard" - is
the YaST GUI equivalent
Both of these tools will result in prompting you about the
rejections and you can automatically update the profiles. This is
only necessary if you see REJECT messages in /var/log/messages
5. Send your profile changes to this list or apparmor-
[EMAIL PROTECTED] - (the profiles are stored in /etc/
subdomain.d/ - filename matches the program path that the profile is
for)
* Creating a new profile for an application
(any application can be profiled but we generally view programs that
accept network connections as the highest threat - and so in greatest
need of protection)
1. Enable AppArmor
It is a service that can be started like any other:
"rcsubdomain start"
2. Run the console command "genprof program-binary-name" as root
(YaST "Novell AppArmor -> Add Profile Wizard" is the YaST GUI
equivalent). This starts the process and will prompt you to restart
and run your application
3. Restart your application (e.g. apache, postfix)
4. Run your application
5. Stop the application
6. Return to the console window (from 2.) and press 'S' (or
"Scan for events" in YaST) . This will scan the event log and guide
you through creating your profile.
7. Send your profile to this list or apparmor-
[EMAIL PROTECTED] - (the profiles are stored in /etc/
subdomain.d/ - filename matches the program path that the profile is
for)
The current profile set is below (can also be found by looking at
the contents of /etc/subdomain.d).
---
/usr/sbin/sshd
/usr/sbin/httpd2-prefork
/usr/sbin/squid
/usr/sbin/sendmail
/usr/sbin/postqueue
/usr/sbin/postmap
/usr/sbin/postdrop
/usr/sbin/postalias
/usr/sbin/ntpd
/usr/sbin/nscd
/usr/sbin/identd
/usr/sbin/in.identd
/usr/lib/postfix/trivial-rewrite
/usr/lib/postfix/tlsmgr
/usr/lib/postfix/smtpd
/usr/lib/postfix/smtp
/usr/lib/postfix/showq
/usr/lib/postfix/scache
/usr/lib/postfix/qmgr
/usr/lib/postfix/proxymap
/usr/lib/postfix/pickup
/usr/lib/postfix/nqmgr
/usr/lib/postfix/master
/usr/lib/postfix/local
/usr/lib/postfix/flush
/usr/lib/postfix/cleanup
/usr/lib/postfix/bounce
/usr/lib/man-db/man
/usr/lib/RealPlayer10/realplay
/usr/bin/procmail
/usr/bin/opera
/usr/bin/man
/usr/bin/ldd
/usr/bin/apropos
/usr/X11R6/bin/ethereal
/usr/X11R6/bin/acroread
/sbin/syslogd
/sbin/klogd
/opt/gnome/lib/evolution-data-server-1.2/evolution-data-server-1.4
/opt/gnome/lib/GConf/2/gconfd-2
/opt/gnome/bin/gaim
/opt/gnome/bin/evolution-2.4
/opt/MozillaFirefox/lib/mozilla-xremote-client
/opt/MozillaFirefox/lib/firefox-bin
/opt/MozillaFirefox/bin/firefox.sh
/bin/traceroute
/usr/sbin/traceroute
/bin/ping
/bin/netstat
---
thanks,
-dominic
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
