mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/docs/subdomain.conf.pod
Steve Beattie 6d3e74907d Import the rest of the core functionality of the internal apparmor 
development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00

103 lines
3.5 KiB
Text
Raw Blame History

# $Id: subdomain.conf.pod 6203 2006-02-02 22:03:41Z steve $
# This publication is intellectual property of Novell Inc. Its contents
# can be duplicated, either in part or in whole, provided that a copyright
# label is visibly located on each copy.
#
# All information found in this book has been compiled with utmost
# attention to detail. However, this does not guarantee complete accuracy.
# Neither SUSE LINUX GmbH, the authors, nor the translators shall be held
# liable for possible errors or the consequences thereof.
#
# Many of the software and hardware descriptions cited in this book
# are registered trademarks. All trade names are subject to copyright
# restrictions and may be registered trade marks. SUSE LINUX GmbH
# essentially adheres to the manufacturer's spelling.
#
# Names of products and trademarks appearing in this book (with or without
# specific notation) are likewise subject to trademark and trade protection
# laws and may thus fall under copyright restrictions.
#
# Please direct suggestions and comments to apparmor-general@forge.novell.com.
=pod
=head1 NAME
/etc/apparmor/subdomain.conf - configuration file for fine-tuning the
behavior of the AppArmor security tool.
=head1 DESCRIPTION
The AppArmor security tool can be configured to have
certain default behaviors based on configuration options set
in subdomain.conf. There are two variables that can be set in
subdomain.conf: B<SUBDOMAIN_PATH>, and B<SUBDOMAIN_MODULE_PANIC>.
=begin comment
FIXME keep quiet about OWLSM support for now.
=head2 SUBDOMAIN_ENABLE_OWLSM
This veriable is a yes/no toggle and is by default set to I<no>.
This variable determines whether the AppArmor initscript will enable
or disable the OWLsm security extension to AppArmor when the AppArmor
security tool is started. When enabled the OWLsm feature prevents programs
from following symlinks in temporary directories that are not owned by
the program's UID, and prevents processes from creating hardlinks to
files not owned by their UID.
=end comment
=head2 SUBDOMAIN_PATH
This variable accepts a string (path), and is by default set to
'/etc/apparmor.d/' This variable defines where the AppArmor security
tool looks for its policy definitions (a.k.a. AppArmor profiles).
=head2 SUBDOMAIN_MODULE_PANIC
This variable accepts a string that is one of four values: I<warn>,
I<build>, I<panic>, or I<build-panic>, and is set by default to I<warn>.
This setting controls the behavior of the AppArmor initscript if it
cannot successfully load the AppArmor kernel module on startup. The four
possible settings are:
=over 4
=item I<warn>
Log a failure message (the default behavior).
=item I<build>
Attempt to build the AppArmor module against the currently running
kernel. If the compilation is successful, the module will be loaded and
AppArmor started; if the compilation fails, a failure message is logged.
=item I<panic>
Log a failure message and drop to runlevel 1 (single user).
=item I<build-panic>
Attempt to build the module against the running kernel (like I<build>)
and if the compilation fails, drop to runlevel 1 (single user).
=back
=head1 BUGS
Setting the initscript to recompile the module will fail on SUSE, as the
module source is no longer installed by default. However, the module has
been included with the SUSE kernel, so no rebuilding should be necessary.
If you find any additional bugs, please report them to
bugzilla at L<http://bugzilla.novell.com>.
=head1 SEE ALSO
apparmor(7), apparmor_parser(8), and
L<http://forge.novell.com/modules/xfmod/project/?apparmor>.
Reference in a new issue View git blame Copy permalink