Paranoid Penguin - An Introduction to Novell AppArmor

If you need to create a new profile from scratch, there are several ways to do so, all explained in detail in the aforementioned Admin Guide Using YaST and also in the AppArmor Advanced User's Guide (/usr/share/doc/packages/subdomain-docs/adv-ug-apparmor.pdf). Here, however, is the easiest method:

That's basically it! The excellent documents in /usr/share/doc/packages/subdomain-docs explain not only the above procedure, but also how to use the Add Profile Manually applet and even how to create profiles from scratch using your text editor of choice.

Before I close this month's column, I leave you with a couple observations based on my experiences tinkering with AppArmor over the past couple of months. First, I must stress the importance of having a healthy local logging facility. As you can see, AppArmor relies heavily on /var/log/messages not only for providing you with a good audit trail, but also for providing its own wizards with crucial configuration intelligence. Therefore, if you have a customized system logger, make sure that there's at least a symbolic link from /var/log/messages to wherever your subdomain messages end up.

For example, on my chrooted syslog-ng installation, my subdomain messages are written to /var/syslog-ng/var/log/messages. Before AppArmor would work properly on this system, I had to create a symbolic link from /var/log/messages to this location. I also had to edit /etc/logrotate.d/syslog so that the “real” messages file would be rotated when too large or old; otherwise, the symbolic link was destroyed by my logrotate cron job. (Obviously, I should have updated logrotate.d/syslog already, back when I configured syslog-ng—by the time I got around to this, /var/syslog-ng/var/log/messages had grown to an embarrassing and unwieldy size.)

Also, I should point out that, just like all of YaST's modules, you don't need to be running the X Window System to run the Novell AppArmor YaST applets. You shouldn't be running X on Internet-connected servers, both because it's almost never necessary and because X has a very rich history of so-called local privilege escalation vulnerabilities. It may seem tempting to ignore such vulnerabilities if you're worried about non-local attackers, but “local” is a usually a misnomer. If attackers gain shell access via, for example, a buffer-overflow attack against some network dæmon, they often can exploit so-called local privilege escalation vulnerabilities to promote themselves to root.

I hope you'll forgive me, therefore, for using attractive screenshots of the X version of YaST in this article—I assure you that the content and functionality is identical in the text-only versions of these applets.

Finally, a tip—in the course of repeatedly running the Update Profile Wizard to make my guestbook PHP script work, AppArmor for some reason forgot I'd dealt with two particular events in /var/log/messages and prompted me over and over about these two events. The problem went away when I manually deleted the corresponding lines in /var/log/messages, and I haven't experienced that particular anomaly since. The problem may have had more to do with my weird syslog-ng behavior than with anything in AppArmor, but I mention it in case you experience anything similar. AppArmor's log messages always contain the string SubDomain.