Knowledge Base
All KB
Documents DT Documents
Articles & FAQs AR Articles
Trouble Reports TR Trouble Reports
Software Updates SU Software Updates
Searching in : Article
ID: AR03D00357
Applies to: NX Server Products
Added on: 2006-03-14
Last Update: 2009-08-28

How to configure Subdomain/AppArmor to work with NX Server

The root of the problem is the AppArmor (previously known as SubDomain)
kernel enhancement to confine programs to a limited set of resources.
 
If this level of security is not needed, the solution is to just turn off this application and then work with NX server, otherwise you need to configure AppArmor to allow operations such as read,execute etc on NX binaries etc.
 
We assume you have a general knowledge of AppArmor, if not please read the
appropriate documentation at

http://www.novell.com/documentation/apparmor/index.html.
 
This article explains how to setup profiles with AppArmor 2.0. To use it with AppArmor 1.2 just omit the suffix "aa-" of the AppArmor commands, e.g. "logprof" instead of "aa-logprof". Profiles in AppArmor 1.2 are stored under "/etc/subdomain.d" instead of "/etc/apparmor.d".

 
If you need AppArmor, please do the following:

  1. Start by creating approximate profiles for the NX binaries:
    # aa-autodep /usr/NX/bin/*
  2. Put these profiles into learning mode
    # aa-complain /etc/apparmor.d/usr.NX.bin.nx*
  3. Now start a NoMachine session from a remote host and run it.
    AppArmor will audit the behaviour of the NX binaries and log their
    actions (events).
  4. After you have ended the session start the logprof tool to analyze
    the audit log and create appropriate rules.
    # aa-logprof
    This will start the interactive logprof tool. It will show you the events like access on a file/directory or execution of another programm.
    See the guidelines below for help on the creation of rules.
  5. You have to repeat steps 3) to 4) multiple times, until you covered
    all the Desktops you want to run, e.g. KDE, GNOME, Windows RDP, VNC
    Server etc. Also use all the Services you need, like Samba Shares, Printer or Multimedia Forwarding.
     
  6. Review your profiles, located at "/etc/apparmor.d/usr.NX.*
  7. To leave learning mode, put your profiles into enforce mode and
     reload the profiles.
      # aa-enforce /etc/apparmor.d/usr.NX.*
      # rcsubdomain restart
  8. Run your NX Sessions to verify you covered all events.

    
 
Use these guidelines to create your rules:

  •  Be careful to confirm only one event at a time, it may take some
      seconds after you have pressed a key until you see the next
      event. If you accidently confirmed an event with the wrong
      rule, abort with "r" and start over again.
  • The event "Execute:  /bin/bash" should be allowed "Unconfined",
     press "U" and confirm with "Y".
  • Execution of other programs should be allowed with "Profile",
    if possible, press "P".
  • Execution of essential bash commands like "cat", "cp", "mkdir"
    should be allowd with "Inherit" if "Profile" is not possible,
    press "I".
  • Wherever possible include abstractions. These provide a set of
    standard rules. Press the number displayed in front of the suggested
    abstraction and confirm with "A" for Allow.
  • Use the following abstractions:
    • "#include <abstractions/X>" for nxagent
    • "#include <abstractions/bash>" for nxnode
    • "#include <abstractions/nameservice>" for access on "/etc/resolv.conf", "/etc/nsswitch.conf" etc.
    • "#include <abstractions/user-tmp>" for access on temp files,
      e.g. "/tmp/.X1002-lock"
    • "#include <abstractions/fonts>" for access on fonts directories, e.g. "/usr/X11R6/lib/X11/fonts/**"

  • Pay attention to access on files located in the home directory, use
      the rule with e.g. "/home/*/foo/bar" instead of the one with a specific
      home directory present.
  • Many NX binaries need access to the session cache, always use "Glob"
      here to get the rule for "/home/*/.nx/**"
  • Glob the access to the NX perl scripts for nxnode and nxserver to
      "/usr/NX/lib/perl/**" resp. "/usr/NX/lib/perl/*"
  • Glob the nxserver access to the session id to "/usr/NX/var/db/running/*"


Notes

It has been noticed that sometimes rules created with the logprof tool may cause unknown errors, for example:

/etc/init.d/apparmor restart
* Reloading AppArmor profiles .../sbin/apparmor_parser: Unable to replace "/usr/NX/bin/nxagent".  Unknown error
* Failure: /etc/apparmor.d/usr.NX.bin.nxagent failed to load
/sbin/apparmor_parser: Unable to replace "/usr/NX/bin/nxclient".  Unknown error
* Failure: /etc/apparmor.d/usr.NX.bin.nxclient failed to load

This has been verified for example on Ubuntu 9.04 64bit, where the problem seems to occurr randomly. In this case, i the NX session can't be started. When error above occurs, a solution is to remove the affected rules from the /etc/apparmor.d/ directory and restart AppArmor.  In case this doesn't help, you could try to restart the machine.  A good practice to make easier recovering rules, would be creating a backup of rules in the /etc/apparmor.dbefore proceeding to create new ones.