1
# ----------------------------------------------------------------------
2
# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007,
4
# NOVELL (All rights reserved)
6
# Copyright (c) 2010 - 2012
7
# Canonical Ltd. (All rights reserved)
9
# This program is free software; you can redistribute it and/or
10
# modify it under the terms of version 2 of the GNU General Public
11
# License published by the Free Software Foundation.
13
# This program is distributed in the hope that it will be useful,
14
# but WITHOUT ANY WARRANTY; without even the implied warranty of
15
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
# GNU General Public License for more details.
18
# You should have received a copy of the GNU General Public License
19
# along with this program; if not, contact Novell, Inc.
20
# ----------------------------------------------------------------------
27
/etc/apparmor/subdomain.conf - configuration file for fine-tuning the
28
behavior of the AppArmor security tool.
32
The AppArmor security tool can be configured to have
33
certain default behaviors based on configuration options set
34
in subdomain.conf. There are two variables that can be set in
35
subdomain.conf: B<SUBDOMAIN_PATH>, and B<SUBDOMAIN_MODULE_PANIC>.
39
FIXME keep quiet about OWLSM support for now.
41
=head2 SUBDOMAIN_ENABLE_OWLSM
43
This veriable is a yes/no toggle and is by default set to I<no>.
45
This variable determines whether the AppArmor initscript will enable
46
or disable the OWLsm security extension to AppArmor when the AppArmor
47
security tool is started. When enabled the OWLsm feature prevents programs
48
from following symlinks in temporary directories that are not owned by
49
the program's UID, and prevents processes from creating hardlinks to
50
files not owned by their UID.
56
This variable accepts a string (path), and is by default set to
57
'/etc/apparmor.d/' This variable defines where the AppArmor security
58
tool looks for its policy definitions (a.k.a. AppArmor profiles).
60
=head2 SUBDOMAIN_MODULE_PANIC
62
This variable accepts a string that is one of four values: I<warn>,
63
I<build>, I<panic>, or I<build-panic>, and is set by default to I<warn>.
65
This setting controls the behavior of the AppArmor initscript if it
66
cannot successfully load the AppArmor kernel module on startup. The four
67
possible settings are:
73
Log a failure message (the default behavior).
77
Attempt to build the AppArmor module against the currently running
78
kernel. If the compilation is successful, the module will be loaded and
79
AppArmor started; if the compilation fails, a failure message is logged.
83
Log a failure message and drop to runlevel 1 (single user).
87
Attempt to build the module against the running kernel (like I<build>)
88
and if the compilation fails, drop to runlevel 1 (single user).
94
Setting the initscript to recompile the module will fail on SUSE, as the
95
module source is no longer installed by default. However, the module has
96
been included with the SUSE kernel, so no rebuilding should be necessary.
98
If you find any additional bugs, please report them at
99
L<https://bugs.launchpad.net/apparmor/+filebug>.
103
apparmor(7), apparmor_parser(8), and
104
L<http://wiki.apparmor.net>.