The external AppArmor profile repository at http://apparmor.opensuse.org serves two main purposes: Allow users to either browse and download profiles created by other users or to upload their profiles to be able to easily use them on different machines. A valid login on the profile repository server is required for uploading profiles. Just downloading profiles from the server does not require a login.
Using the AppArmor Profile Repository | |
---|---|
When using the profile repository in your deployment, bear in mind that the profiles maintained in the repository are primarily targeted at profile developers and might probably need fine-tuning before they suit your particular needs. Please test the downloaded profiles extensively before deploying them to your live setup and adjust them if necessary. |
Once properly configured, both the YaST and the command line tools support the use of an external profile repository. The initial configuration takes place when you start the YaST Add Profile Wizard, the Update Profile Wizard, aa-genprof, or aa-logprof to create or update a profile that already exists on the repository server:
Determine whether to use or not to use the profile repository at all.
Enable the repository for profile downloads.
Once you have created or modified a profile, determine whether the tools should be able to upload your profile to the repository.
If you chose to upload profiles to the repository, enter your credentials for the repository server.
The configuration of the repository is done by editing two configuration
files, /etc/apparmor/logprof.conf
and
/etc/apparmor/respository.conf
.
The /etc/apparmor/logprof.conf
file contains a
section called [repository]
.
distro
determines the version of openSUSE used on
your system for which the AppArmor tools should search profiles on the
server. url
holds the server URL and
preferred_user
tells the AppArmor tools to prefer
profiles created by the novell
user. Those profiles
were created, tested and approved by members of the SUSE development
team.
... [repository] distro = opensuse10.3 url = http://apparmor.opensuse.org/backend/api preferred_user = novell ...
The /etc/apparmor/repository.conf
file is created
during the configuration process with the AppArmor tools. It contains your
authentication data and specifies which actions to enable with regards
to the profile repository. If you opt for profile download and do not
want to be able to upload your own profiles enabled
is set to yes
while upload
is set
to no
.
[repository] enabled = yes upload = yes user = tux pass = XXXXX
Once initially configured through the AppArmor tools, the configuration can only be changed manually.
While creating a profile from scratch or updating an existing profile by
processing reject messages in the log, the AppArmor tools search the
repository for a matching profile. If the search is successful, the
profile or the list of profiles is displayed and you can view them and
choose the one that best matches your setup. As soon as you have chosen
a profile, it gets copied to the local machine (to the
/etc/apparmor.d
directory) and activated.
Alternatively, you can choose to ignore the profile on the repository
and create your own one from scratch.
After a profile has been created or updated, the AppArmor tools that a profile also present in the repository has been changed or that a new one has been created. If your system is configured to upload profiles to the repository, you are prompted to provide a ChangeLog to document your changes before the changes are uploaded to the server. These changes are only synced to the repository, but not to the creator of the original profile.