Paranoid Penguin - An Introduction to Novell AppArmor

Who says “easy-to-use mandatory access controls” is a contradiction in terms?
How to Create a New Profile Quickly

If you need to create a new profile from scratch, there are several ways to do so, all explained in detail in the aforementioned Admin Guide Using YaST and also in the AppArmor Advanced User's Guide (/usr/share/doc/packages/subdomain-docs/adv-ug-apparmor.pdf). Here, however, is the easiest method:

  1. Run the Add Profile Wizard, being sure to specify the full path to the program you want to protect when prompted for the application name. You will be prompted to run the program, during which time AppArmor runs in “learn” mode, and builds a profile by observing the application's behavior.

  2. After the Add Profile Wizard closes, restart your application (if a dæmon) and test it as thoroughly as possible. If everything works properly, you're done.

  3. If anything failed in the previous step, run the Update Profile Wizard. Based on your answers to the Wizard's prompts, the AppArmor profile you just created (plus any other applicable profiles) will be updated.

  4. Repeat steps two and three until the application works the way it did before you created its AppArmor profile. This may take more than two iterations.

That's basically it! The excellent documents in /usr/share/doc/packages/subdomain-docs explain not only the above procedure, but also how to use the Add Profile Manually applet and even how to create profiles from scratch using your text editor of choice.

Miscellaneous Notes

Before I close this month's column, I leave you with a couple observations based on my experiences tinkering with AppArmor over the past couple of months. First, I must stress the importance of having a healthy local logging facility. As you can see, AppArmor relies heavily on /var/log/messages not only for providing you with a good audit trail, but also for providing its own wizards with crucial configuration intelligence. Therefore, if you have a customized system logger, make sure that there's at least a symbolic link from /var/log/messages to wherever your subdomain messages end up.

For example, on my chrooted syslog-ng installation, my subdomain messages are written to /var/syslog-ng/var/log/messages. Before AppArmor would work properly on this system, I had to create a symbolic link from /var/log/messages to this location. I also had to edit /etc/logrotate.d/syslog so that the “real” messages file would be rotated when too large or old; otherwise, the symbolic link was destroyed by my logrotate cron job. (Obviously, I should have updated logrotate.d/syslog already, back when I configured syslog-ng—by the time I got around to this, /var/syslog-ng/var/log/messages had grown to an embarrassing and unwieldy size.)

Also, I should point out that, just like all of YaST's modules, you don't need to be running the X Window System to run the Novell AppArmor YaST applets. You shouldn't be running X on Internet-connected servers, both because it's almost never necessary and because X has a very rich history of so-called local privilege escalation vulnerabilities. It may seem tempting to ignore such vulnerabilities if you're worried about non-local attackers, but “local” is a usually a misnomer. If attackers gain shell access via, for example, a buffer-overflow attack against some network dæmon, they often can exploit so-called local privilege escalation vulnerabilities to promote themselves to root.

I hope you'll forgive me, therefore, for using attractive screenshots of the X version of YaST in this article—I assure you that the content and functionality is identical in the text-only versions of these applets.

Finally, a tip—in the course of repeatedly running the Update Profile Wizard to make my guestbook PHP script work, AppArmor for some reason forgot I'd dealt with two particular events in /var/log/messages and prompted me over and over about these two events. The problem went away when I manually deleted the corresponding lines in /var/log/messages, and I haven't experienced that particular anomaly since. The problem may have had more to do with my weird syslog-ng behavior than with anything in AppArmor, but I mention it in case you experience anything similar. AppArmor's log messages always contain the string SubDomain.

Mick Bauer ( is Network Security Architect for one of the US's largest banks. He is the author of the O'Reilly book Linux Server Security, 2nd edition (formerly called Building Secure Servers With Linux), an occasional presenter at information security conferences and composer of the “Network Engineering Polka”.



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Great Article

Linux User's picture

Thanks for the great information on apparmor.

help me now

help me now's picture

I've posted the series over on my education blog, so commenting is open.