http://manpages.ubuntu.com/manpages/oneiric/en/man5/apparmor.d.5.html
deny 차단 할 경우 ixr 하면 좋은대 그건 오류 나고요 rw만 쓸수 있네요 대충 그럼.. 이유는 모르겠네요..r - read w - write -- conflicts with append a - append -- conflicts with write ux - unconfined execute Ux - unconfined execute -- scrub the environment px - discrete profile execute Px - discrete profile execute -- scrub the environment cx - transition to subprofile on execute Cx - transition to subprofile on execute -- scrub the environment ix - inherit execute m - allow PROT_EXEC with mmap(2) calls l - link k - lock
r |
Read mode |
|
w |
Write mode |
|
px |
Discrete profile execute mode |
|
Px |
Discrete profile execute mode—clean exec |
|
ux |
Unconstrained execute mode |
|
Ux |
Unconstrained execute mode—clean exec |
|
ix |
Inherit execute mode |
|
m |
Allow PROT_EXEC with mmap(2) calls |
|
l |
Link mode |
좀더 정확한 내용
http://www.novell.com/documentation/apparmor/apparmor201_sp10_admin/?page=/documentation/apparmor/apparmor201_sp10_admin/data/book_apparmor_admin.html
sudo aa-logprof 자세한 설명 영어가 안되서 구글 번역 썼네요 ㅎㅎ;;[링크]
[(A)llow] / (D)eny / (N)ew / (G)lob / Glob w/(E)xt / Abo(r)t / (F)inish
AppArmor provides one or more paths or includes. By entering the option number, select the desired options then proceed to the next step.
NOTE: All of these options are not always presented in the AppArmor menu.
- #include
-
This is the section of an AppArmor profile that refers to an include file, which procures access permissions for programs. By using an include, you can give the program access to directory paths or files that are also required by other programs. Using includes can reduce the size of a profile. It is good practice to select includes when suggested.
- Globbed Version
-
This is accessed by selecting as described in the next step. For information about globbing syntax, refer to Section 4.7, Paths and Globbing.
- Actual Path
-
This is the literal path to which the program needs access so that it can run properly.
After you select the path or include, process it as an entry into the AppArmor profile by selecting or . If you are not satisfied with the directory path entry as it is displayed, you can also it.
The following options are available to process the learning mode entries and build the profile:
- Select Enter
-
Allows access to the selected directory path.
- Allow 허용
-
Allows access to the specified directory path entries. AppArmor suggests file permission access. For more information, refer to Section 4.8, File Permission Access Modes.
- Deny
-
Prevents the program from accessing the specified directory path entries. AppArmor then continues to the next event.
거부
- New
-
Prompts you to enter your own rule for this event, allowing you to specify a regular expression. If the expression does not actually satisfy the event that prompted the question in the first place, AppArmor asks for confirmation and lets you reenter the expression.
지정된 디렉토리 경로 항목을 액세스 프로그램을 방지할 수 있습니다. AppArmor 그러면 다음 이벤트에 계속됩니다.
새로운 - Glob
-
Select a specific path or create a general rule using wild cards that match a broader set of paths. To select any of the offered paths, enter the number that is printed in front of the path then decide how to proceed with the selected item.
For more information about globbing syntax, refer to Section 4.7, Paths and Globbing.
당신이 정규 표현식을 지정할 수 있도록,이 이벤트에 대한 자신의 규칙을 입력하라는 메시지가 나타납니다. 표현은 실제로 처음에 질문을하라는 메시지가 이벤트를 만족하지 않는 경우, AppArmor는 확인을 요구하고 표현를 다시 입력하실 수 있습니다.
글로브 - Glob w/Ext
-
This modifies the original directory path while retaining the filename extension. For example, /etc/apache2/file.ext becomes /etc/apache2/*.ext, adding the wild card (asterisk) in place of the filename. This allows the program to access all files in the suggested directory that end with the .ext extension.
글로브 W / 내선
파일 이름 확장명을 유지하면서 이것은 원래의 디렉토리 경로를 수정합니다. 예를 들어, / etc/apache2/file.ext는 / etc/apache2된다 / *. 내선, 파일 이름 대신에 와일드 카드 (별표)를 추가할 수 있습니다. 이것은 프로그램이. 내선 확장명으로 끝나는 제안 디렉토리의 모든 파일에 액세스할 수 있습니다. - Abort
-
Aborts aa-logprof, losing all rule changes entered so far and leaving all profiles unmodified.
중단 AA - logprof, 지금까지 입력한 모든 규칙 변경을 잃고 모든 프로파일 수정되지 않은 떠나.
마침 수정 하지 않고 마치려면 저장 안함 - Finish
-
Closes aa-logprof, saving all rule changes entered so far and modifying all profiles.
질의 끝내기 나가