# $Id: logprof.conf 981 2007-09-17 03:28:26Z DominicReynolds_ $
# ------------------------------------------------------------------
#
# Copyright (C) 2004-2006 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# custom directory locations to look for #includes
#
# each name should be a valid directory containing possible #include
# candidate files under the profile dir which by default is /etc/apparmor.d.
#
# So an entry of my-includes will allow /etc/apparmor.d/my-includes to
# be used by the yast UI and profiling tools as a source of #include
# files.
custom_includes =
[qualifiers]
# things will be painfully broken if bash has a profile
/bin/bash = iu
/bin/ksh = iu
# these programs can't function if they're confined
/bin/mount = u
/etc/init.d/subdomain = u
/sbin/cardmgr = u
/sbin/subdomain_parser = u
/usr/sbin/genprof = u
/usr/sbin/logprof = u
/usr/lib/YaST2/servers_non_y2/ag_genprof = u
/usr/lib/YaST2/servers_non_y2/ag_logprof = u
# these ones shouln't have their own profiles
/bin/awk = i
/bin/cat = i
/bin/chmod = i
/bin/chown = i
/bin/cp = i
/bin/gawk = i
/bin/grep = i
/bin/gunzip = i
/bin/gzip = i
/bin/kill = i
/bin/ln = i
/bin/ls = i
/bin/mkdir = i
/bin/mv = i
/bin/readlink = i
/bin/rm = i
/bin/sed = i
/bin/touch = i
/sbin/killall5 = i
/usr/bin/find = i
/usr/bin/killall = i
/usr/bin/nice = i
/usr/bin/perl = i
/usr/bin/tr = i
# turn /foo/bar/baz.8907234 into /foo/bar/baz.*
# BUGBUG - this one looked weird because it would suggest a glob for
# BUGBUG - libfoo.so.5.6.0 that looks like libfoo.so.5.6.*
# \.\d+$ = .*
# some various /etc/security poo -- dunno about these ones...
^/etc/security/_[^\/]+$ = /etc/security/*
^/lib/security/pam_filter/[^\/]+$ = /lib/security/pam_filter/*
^/lib/security/pam_[^\/]+\.so$ = /lib/security/pam_*.so
Here you go
# $Id: logprof.conf 981 2007-09-17 03:28:26Z DominicReynolds_ $ ------- ------- ------- ------- ------- ------- ------- ------- --- ------- ------- ------- ------- ------- ------- ------- ------- ---
# -------
#
# Copyright (C) 2004-2006 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# -------
[settings] profiledir = /usr/share/ doc/apparmor- profiles/ extras audit/audit. log /var/log/messages /var/log/syslog
profiledir = /etc/apparmor.d /etc/subdomain.d
inactive_
logfiles = /var/log/
parser = /sbin/apparmor_ parser /sbin/subdomain _parser
ldd = /usr/bin/ldd
logger = /bin/logger /usr/bin/logger
# custom directory locations to look for #includes d/my-includes to
#
# each name should be a valid directory containing possible #include
# candidate files under the profile dir which by default is /etc/apparmor.d.
#
# So an entry of my-includes will allow /etc/apparmor.
# be used by the yast UI and profiling tools as a source of #include
# files.
custom_includes =
[repository] apparmor. test.opensuse. org/backend/ api
distro = ubuntu-gutsy
url = http://
preferred_user = ubuntu
[qualifiers]
# things will be painfully broken if bash has a profile
/bin/bash = iu
/bin/ksh = iu
# these programs can't function if they're confined init.d/ subdomain = u subdomain_ parser = u lib/YaST2/ servers_ non_y2/ ag_genprof = u lib/YaST2/ servers_ non_y2/ ag_logprof = u
/bin/mount = u
/etc/
/sbin/cardmgr = u
/sbin/
/usr/sbin/genprof = u
/usr/sbin/logprof = u
/usr/
/usr/
# these ones shouln't have their own profiles
/bin/awk = i
/bin/cat = i
/bin/chmod = i
/bin/chown = i
/bin/cp = i
/bin/gawk = i
/bin/grep = i
/bin/gunzip = i
/bin/gzip = i
/bin/kill = i
/bin/ln = i
/bin/ls = i
/bin/mkdir = i
/bin/mv = i
/bin/readlink = i
/bin/rm = i
/bin/sed = i
/bin/touch = i
/sbin/killall5 = i
/usr/bin/find = i
/usr/bin/killall = i
/usr/bin/nice = i
/usr/bin/perl = i
/usr/bin/tr = i
[required_hats] |2|2-prefork) $ = DEFAULT_URI HANDLING_ UNTRUSTED_ INPUT |2|2-prefork) $ = DEFAULT_URI HANDLING_ UNTRUSTED_ INPUT
^.+/apache(
^.+/httpd(
[defaulthat] |2|2-prefork) $ = DEFAULT_URI |2|2-prefork) $ = DEFAULT_URI
^.+/apache(
^.+/httpd(
[globs] lib/libbaz. so -> /foo/bar/lib/lib* lib[^\/ ]+so[^\ /]*$ = /lib/lib*so*
# /foo/bar/
/lib/
# strip kernel version numbers from kernel module accesses modules/ [^\/]+\ / = /lib/modules/*/
^/lib/
# strip pid numbers from /proc accesses
^/proc/\d+/ = /proc/*/
# if it looks like a home directory, glob out the username
^/home/[^\/]+ = /home/*
# if they use any perl modules, grant access to all lib/perl5/ .+$ = /usr/lib/perl5/**
^/usr/
# locale foo lib/locale/ .+$ = /usr/lib/locale/** share/locale/ .+$ = /usr/share/ locale/ **
^/usr/
^/usr/
# timezone fun share/zoneinfo/ .+$ = /usr/share/ zoneinfo/ **
^/usr/
# /foobar/fonts/baz -> /foobar/fonts/**
/fonts/.+$ = /fonts/**
# turn /foo/bar/ baz.8907234 into /foo/bar/baz.*
# BUGBUG - this one looked weird because it would suggest a glob for
# BUGBUG - libfoo.so.5.6.0 that looks like libfoo.so.5.6.*
# \.\d+$ = .*
# some various /etc/security poo -- dunno about these ones... security/ _[^\/]+ $ = /etc/security/* security/ pam_filter/ [^\/]+$ = /lib/security/ pam_filter/ * security/ pam_[^\ /]+\.so$ = /lib/security/ pam_*.so
^/etc/
^/lib/
^/lib/
^/etc/ pam.d/[ ^\/]+$ = /etc/pam.d/* profile. d/[^\/] +\.sh$ = /etc/profile.d/*.sh
^/etc/