/etc/immunix/subdomain.conf - configuration file for fine-tuning the
behavior of the AppArmor security tool.
#description
DESCRIPTION
#subdomain_enable_owlsm
SUBDOMAIN_ENABLE_OWLSM
#subdomain_path
SUBDOMAIN_PATH
#subdomain_module_panic
SUBDOMAIN_MODULE_PANIC
#bugs
BUGS
#see_also
SEE ALSO
/etc/immunix/subdomain.conf - configuration file for fine-tuning the
behavior of the AppArmor security tool.
DESCRIPTION
The AppArmor security tool can be configured to have
certain default behaviors based on configuration options set
in subdomain.conf. There are three variables that can be set in
subdomain.conf:
SUBDOMAIN_ENABLE_OWLSM
,
SUBDOMAIN_PATH
, and
SUBDOMAIN_MODULE_PANIC
.
SUBDOMAIN_ENABLE_OWLSM
This variable toggles between yes/no, and by default it is set to
no
.
This variable determines whether the subdomain initscript will enable
or disable the OWLsm security extension for subdomain when the subdomain
security tool is started. When enabled, the OWLsm feature prevents programs
from following symlinks in temporary directories that are not owned by
the program's UID, and it prevents processes from creating hardlinks to
files not owned by their UID.
SUBDOMAIN_PATH
This variable accepts a string (path), and is by default set to
'/etc/subdomain.d/' This variable defines where the subdomain security
tool looks for its policy definitions (a.k.a. subdomain profiles).
SUBDOMAIN_MODULE_PANIC
This variable accepts a string that is one of four values:
warn
,
build
,
panic
, or
build-panic
, and is set by default to
warn
.
This setting controls the behavior of the AppArmor initscript if it
cannot successfully load the subdomain kernel module on startup. The
four possible settings are:
warn
Log a failure message (default behavior).
build
Attempt to build SubDomain module against the currently running
kernel. If the compilation is successful, the module will be loaded and
AppArmor started. If the compilation fails, a failure message is logged.
panic
Log a failure message and drop to runlevel 1 (single user).
build-panic
Attempt to build the module against the running kernel (like
build
)
and if the compilation fails, drop to runlevel 1 (single user).
BUGS
None known. If you find any, please report them to
mailto:support@immunix.com
support@immunix.com
or bugzilla at
http://bugs.wirex.com
http://bugs.wirex.com
.
SEE ALSO
subdomain(7)
and subdomain_parser(8).
/etc/immunix/subdomain.conf - configuration file for fine-tuning the
behavior of the AppArmor security tool.
