aa-genprof - profile generation utility for AppArmor
aa-genprof <executable> [-d /path/to/profiles] [-f /path/to/logfile]
-d --dir /path/to/profiles Specifies where to look for the AppArmor security profile set. Defaults to /etc/apparmor.d. -f --file /path/to/logfile Specifies the location of logfile. Default locations are read from F</etc/apparmor/logprof.conf>. Typical defaults are: /var/log/audit/audit.log /var/log/syslog /var/log/messages
When running aa-genprof, you must specify a program to profile. If the specified program is not a fully-qualified path, aa-genprof will search $PATH in order to find the program. If a profile does not exist for the program, aa-genprof will create one using aa-autodep(1). Genprof will then: - set the profile to complain mode - write a mark to the system log - instruct the user to start the application to be profiled in another window and exercise its functionality It then presents the user with two options, (S)can system log for entries to add to profile and (F)inish. If the user selects (S)can or hits return, aa-genprof will parse the complain mode logs and iterate through generated violations using aa-logprof(1). After the user finishes selecting profile entries based on violations that were detected during the program execution, aa-genprof will reload the updated profiles in complain mode and again prompt the user for (S)can and (F)inish. This cycle can then be repeated as necessary until all application functionality has been exercised without generating access violations. When the user eventually hits (F)inish, aa-genprof will set the main profile, and any other profiles that were generated, into enforce mode and exit.
If you find any bugs, please report them at <https://bugs.launchpad.net/apparmor/+filebug>.
apparmor(7), apparmor.d(5), aa-enforce(1), aa-complain(1), aa-disable(1), aa_change_hat(2), aa-logprof(1), logprof.conf(5), and <http://wiki.apparmor.net>.
More Linux Commands
XkbGetUpdatedMap(3) - Update the client or server map inform
The which parameter is a bitwise inclusive OR of the masks in Table 1. If the needed components of the xkb structure are not already allocated, XkbGetUpdatedMap
ExtUtils::MakeMaker::Tutorial(3pm) - Writing a module with M
This is a short tutorial on writing a simple module with MakeMaker. Its really not that hard. The Mantra MakeMaker modules are installed using this simple mantr
systemd-initctl.socket(8) dev initctl compatibility.........
systemd-initctl is a system service that implements compatibility with the /dev/initctl FIFO file system object, as implemented by the SysV init system. systemd
keybound_sp(3ncurses) - curses screen-pointer extension.....
This implementation can be configured to provide a set of functions which improve the ability to manage multiple screens. This feature can be added to any of th
pam_info(3) - display messages to the user - Linux man page
The pam_info function prints messages through the conversation function to the user. The pam_vinfo function performs the same task as pam_info() with the differ
ifup(8) - start a pre-configured network interface..........
ifup is used to bring up a pre-configured interface for networking. It is usually invoked by the network script at boot time or by the PCMCIA/hotplug system. It
App::Prove(3pm) - Implements the "prove" command. (ManPage)
Test::Harness provides a command, prove, which runs a TAP based test suite and prints a report. The prove command is a minimal wrapper around an instance of thi
ausearch_add_regex(3) - use regular expression search rule
ausearch_add_regex adds one search condition based on a regular expression to the current audit search expression. The search conditions can then be used to sca
curl_getdate(3) - Convert a date string to number of seconds
This function returns the number of seconds since January 1st 1970 in the UTC time zone, for the date and time that the datestring parameter specifies. The now
ber_get_next(3) - OpenLDAP LBER simplified Basic Encoding Ru
These routines provide a subroutine interface to a simplified implementation of the Basic Encoding Rules of ASN.1. The version of BER these routines support is
spamd(1) - daemonized version of spamassassin (Man Page)....
The purpose of this program is to provide a daemonized version of the spamassassin executable. The goal is improving throughput performance for automated mail c
sendto(2) - send a message on a socket - Linux manual page
The system calls send(), sendto(), and sendmsg() are used to transmit a message to another socket. The send() call may be used only when the socket is in a conn