●Administrative utilities provide a mechanism for administrators to configure, query, and control
AppArmor.
For background information on AppArmor which was originally named SubDomain, SubDomain:
Parsimonious Server Security by Crispin Cowan, Steve Beattie, Greg Kroah-Hartman, Calton Pu, Perry
Wagle, and Virgil Gligor at https://forgesvn1.novell.com/viewsvn/apparmor/trunk/docs/papers/subdomain-
lisa00.pdf?revision=3 [CRISP] and
http://www.novell.com/documentation/apparmor/pdfdoc/apparmor2_admin/apparmor2_admin.pdf and
http://forge.novell.com/modules/xfmod/project/?apparmor .
5.8.1 AppArmor administrative utilitiesThe primary configuration file for AppArmor is /etc/apparmor/subdomain.conf . (SubDomain was
the original name for AppArmor.) The configuration file defines the directory where AppArmor profiles are
located, what action to take if the AppArmor LSM cannot be loaded at system boot time (warn, panic,
build, or build-panic), whether the OWLSM extension should be loaded, and whether event logging
should occur. For more information about AppArmor configuration, please see the man page on
subdomain.conf.
AppArmor profiles define the confinement rules for applications protected by AppArmor. The profiles are
kept in /etc/apparmor.d.. Profiles are named by the full path to the executable with / replaced by a
period (.). The following contains an example AppArmor policy for klogd which is stored in
/etc/apparmor.d/sbin.klogd:
#include <tunables/global>
/sbin/klogd {
#include <abstractions/base>
capability sys_admin,
/boot/System.map* r,
/proc/kmsg r,
/sbin/klogd rmix,
/var/log/boot.msg rwl,
/var/run/klogd.pid rwl,
}
In this example, klogd, can read the specified files in /boot/System.map* and /proc/kmsg. klogd
can write log and run information, such as /var/log/boot.msg and /var/run/klogd.pid.
Allowable access is denoted by familiar UNIX permission contructs, with some additions, as follows:
●r - read
●w - write
●ux - unconstrained execute
●Ux - unconstrained execute after scrubbing the environment
150