[Apparmor-dev] A command line tool to add to a profile?
Mark Dalton
mwd at cray.com
Wed May 2 13:15:15 MDT 2007
I read through previous mails and FAQs, and I did not find a command
line tool to add a definition/allowed directory to a existing
definition. It would be useful for RPMs of packages or a easy command for a admin for a set of servers.
It looks like the log_prof perl script could do this since it already modifies it.
I was thinking of something like or adding options to log_prof?
aa_log_add --program sbin.syslog-ng
--allow_dir /dev/my_syslog_pipe --access rw
The nice thing about the command line option is you could have it
require where it came from:
aa_log_add --program sbin.syslogn-ng \
--allow_dir /dev/my_syslog_pipe \
--access rw --from my_syslog_tool.rpm
Currently this _hack_ works, but it is ugly:
cat sbin.syslog-ng | sed -e 's/\/dev\/xconsole \
rw,/\/dev\/xconsole rw,^M \/dev\/my_syslog_pipe \
rw,/g' > /tmp/outpipe
cp /tmp/outpipe /etc/apparmor.d/sbin.syslog-ng
I did find the solutions but they all require System Admininstrator
interactively adding something by hand.
The Current tools for adding:
Yast - GUI
vi or your favorite editor
logprof - Allows you to scan the logs to see what
definitions should be added.
But you need to go through a list.
So it does not help much on a group of machines which may not be
identical, and it does not help with a RPM install.
Mark
More information about the Apparmor-dev
mailing list