1
# $Id: subdomain.conf.pod 497 2007-03-26 22:22:28Z steve-beattie $
2
# This publication is intellectual property of Novell Inc. Its contents
3
# can be duplicated, either in part or in whole, provided that a copyright
4
# label is visibly located on each copy.
6
# All information found in this book has been compiled with utmost
7
# attention to detail. However, this does not guarantee complete accuracy.
8
# Neither SUSE LINUX GmbH, the authors, nor the translators shall be held
9
# liable for possible errors or the consequences thereof.
11
# Many of the software and hardware descriptions cited in this book
12
# are registered trademarks. All trade names are subject to copyright
13
# restrictions and may be registered trade marks. SUSE LINUX GmbH
14
# essentially adheres to the manufacturer's spelling.
16
# Names of products and trademarks appearing in this book (with or without
17
# specific notation) are likewise subject to trademark and trade protection
18
# laws and may thus fall under copyright restrictions.
20
# Please direct suggestions and comments to apparmor-general@forge.novell.com.
26
/etc/apparmor/subdomain.conf - configuration file for fine-tuning the
27
behavior of the AppArmor security tool.
31
The AppArmor security tool can be configured to have
32
certain default behaviors based on configuration options set
33
in subdomain.conf. There are two variables that can be set in
34
subdomain.conf: B<SUBDOMAIN_PATH>, and B<SUBDOMAIN_MODULE_PANIC>.
38
FIXME keep quiet about OWLSM support for now.
40
=head2 SUBDOMAIN_ENABLE_OWLSM
42
This veriable is a yes/no toggle and is by default set to I<no>.
44
This variable determines whether the AppArmor initscript will enable
45
or disable the OWLsm security extension to AppArmor when the AppArmor
46
security tool is started. When enabled the OWLsm feature prevents programs
47
from following symlinks in temporary directories that are not owned by
48
the program's UID, and prevents processes from creating hardlinks to
49
files not owned by their UID.
55
This variable accepts a string (path), and is by default set to
56
'/etc/apparmor.d/' This variable defines where the AppArmor security
57
tool looks for its policy definitions (a.k.a. AppArmor profiles).
59
=head2 SUBDOMAIN_MODULE_PANIC
61
This variable accepts a string that is one of four values: I<warn>,
62
I<build>, I<panic>, or I<build-panic>, and is set by default to I<warn>.
64
This setting controls the behavior of the AppArmor initscript if it
65
cannot successfully load the AppArmor kernel module on startup. The four
66
possible settings are:
72
Log a failure message (the default behavior).
76
Attempt to build the AppArmor module against the currently running
77
kernel. If the compilation is successful, the module will be loaded and
78
AppArmor started; if the compilation fails, a failure message is logged.
82
Log a failure message and drop to runlevel 1 (single user).
86
Attempt to build the module against the running kernel (like I<build>)
87
and if the compilation fails, drop to runlevel 1 (single user).
93
Setting the initscript to recompile the module will fail on SUSE, as the
94
module source is no longer installed by default. However, the module has
95
been included with the SUSE kernel, so no rebuilding should be necessary.
97
If you find any additional bugs, please report them to
98
bugzilla at L<http://bugzilla.novell.com>.
102
apparmor(7), apparmor_parser(8), and
103
L<http://forge.novell.com/modules/xfmod/project/?apparmor>.