mod_apparmor man page on SuSE

Man page or keyword search:  
man Server   14857 pages
apropos Keyword Search (all sections)
Output format
SuSE logo
[printable version]

MOD_APPARMOR(pod)		   AppArmor		     MOD_APPARMOR(pod)

NAME
       mod_apparmor - fine-grained AppArmor confinement for apache

DESCRIPTION
       An AppArmor profile applies to an executable program; if a portion of
       the program needs different access permissions than other portions, the
       program can "change hats" via change_hat(2) to a different role, also
       known as a subprofile.  The mod_apparmor apache module uses the
       change_hat(2) mechanism to offer more fine-grained confinement of
       dynamic elements within apache such as individual php and perl scripts,
       while still allowing the performance benefits of using mod_php and
       mod_perl.

       To use mod_apparmor with apache, ensure that mod_apparmor is configured
       to be loaded into apache, either via yast or manual editing of the
       httpd(8) configuration files, and restart apache. Make sure that
       apparmor is also functioning.

       Once mod_apparmor is loaded within apache, all requests to apache will
       cause mod_apparmor to attempt to change into a hat named by the URI
       (e.g. /app/some.cgi). If no such hat is found, it will fall back to
       attempting to use the hat DEFAULT_URI; if that also does not exist, it
       will fall back to using the global apache profile. Most static web
       pages can simply make use of the DEFAULT_URI hat.

       However, defining hats for every URI/URL would become tedious, so there
       are a couple of configuration options that mod_apparmor supports:

       AAHatName
	   AAHatName allows you to specify a hat to be used for a given apache
	   directory or location directive (see the apache documenation for
	   more details). Note that mod_apparmor behavior can become confused
	   if directory and location directives are intermingled; it's
	   preferred to stick to one type of directive. If the hat specified
	   by AAHatName does not exist in the apache profile, then it falls
	   back to the behavior above.

       AADefaultHatName
	   AADefaultHatName allows you to specify a default hat to be used for
	   vhosts and other apache server directives, so that you can have
	   different defaults for different virtual hosts. This can be
	   overridden by an AAHatName directive. If the AADefaultHatName hat
	   does not exist, it falls back to the behavior described above.

       Additionally, before any requests come in to apache, mod_apparmor will
       attempt to change hat into the HANDLING_UNTRUSTED_INPUT hat.
       mod_apparmor will attempt to use this hat while apache is doing the
       initial parsing of a given http request, before its given to a specific
       handler (like mod_php) for processing.

BUGS
       mod_apparmor() currently only supports apache2, and has only been
       tested with the prefork MPM configuration -- threaded configurations of
       apache may not work correctly.

       There are likely other bugs lurking about; if you find any, please
       report them to bugzilla at <http://bugzilla.novell.com>.

SEE ALSO
       apparmor(7), subdomain.conf(5), apparmor_parser(8), and
       <http://forge.novell.com/modules/xfmod/project/?apparmor>.

NOVELL/SUSE			  2007-04-03		     MOD_APPARMOR(pod)
[top]

List of man pages available for SuSE

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net