3.4. Building Novell AppArmor Profiles Using the Command Line Interface

Novell AppArmor provides the ability to use a command line interface rather than a GUI to manage and configure your system security.

3.4.1. Checking the AppArmor Module Status

The AppArmor module can be in any one of three states:

Unloaded

The AppArmor module is not loaded into the kernel.

Running

The AppArmor module is loaded into the kernel and is enforcing Novell AppArmor program policies.

Stopped

The AppArmor module is loaded into the kernel, but no policies are enforced.

Detect the state of the AppArmor module by inspecting /sys/kernel/security/apparmor/profiles. If cat /sys/kernel/security/apparmor/profiles reports a list of profiles, Novell AppArmor is running. If it is empty and returns nothing, AppArmor is stopped. If the file does not exist, AppArmor is unloaded.

You can load and unload the AppArmor module with the standard Linux module commands, such as modprobe, insmod, lsmod, and rmmod, but this approach is not recommended. Instead, it is recommended to manage Novell AppArmor through the script rcapparmor, which can perform the following operations:

rcapparmor start

Behavior depends on the AppArmor module state. If it was unloaded, start loads the module and starts it, putting it in the running state. If it was stopped, start causes the module to rescan the Novell AppArmor profiles usually found in /etc/apparmor.d and puts the module in the running state. If the module was already running, start reports a warning and takes no action.

rcapparmor stop

Stops the AppArmor module if it was running by removing all profiles from kernel memory, effectively disabling all access controls, putting the module into the stopped state. If the AppArmor module was either unloaded or already stopped, stop tries to unload the profiles again, but nothing happens.

rcapparmor restart

Causes AppArmor module to rescan the profiles in /etc/apparmor.d without unconfining running processes. Freshly created profiles are enforced and recently deleted ones are removed from the /etc/apparmor.d directory.

rcapparmor kill

Unconditionally removes the AppArmor module from the kernel. This is unsafe, because unloading modules from the Linux kernel is unsafe. This command is provided only for debugging and emergencies when the module might have to be removed.

[Important]Important

Novell AppArmor is a powerful access control system and it is possible to lock yourself out of your own machine to the point where you have to boot the machine from a rescue medium (such as CD 1 of SUSE Linux) to regain control.

To prevent such a problem, always ensure that you have a running, unconfined, root login on the machine being configured when you restart the AppArmor module. If you damage your system to the point where logins are no longer possible (for example, by breaking the profile associated with the SSH daemon), you can repair the damage using your running root prompt then restart the AppArmor module.

3.4.2. Building Novell AppArmor Profiles

The AppArmor module profile definitions are stored in the /etc/apparmor.d directory as plain text files.

[Warning]Warning

All files in the /etc/apparmor.d directory are interpreted as profiles and are loaded as such. Renaming files in that directory is not an effective way of preventing profiles from being loaded. You must remove profiles from this directory to manage them effectively.

You can use a text editor, such as vim, to access and make changes to these profiles. The following options contain detailed steps for building profiles:

Adding or Creating Novell AppArmor Profiles

Refer to Section 3.4.3, “Adding or Creating a Novell AppArmor Profile”

Editing Novell AppArmor Profiles

Refer to Section 3.4.4, “Editing a Novell AppArmor Profile”

Deleting Novell AppArmor Profiles

Refer to Section 3.4.5, “Deleting a Novell AppArmor Profile”

[Note]Note

After making changes to a profile, use the rcapparmor restart command, described in the previous section. This command causes AppArmor to reread the profiles. For a detailed description of the syntax of these files, refer to Chapter 3, Building Novell AppArmor Profiles.

3.4.3. Adding or Creating a Novell AppArmor Profile

To add or create a Novell AppArmor profile for an application, you can use a systemic or stand-alone profiling method, depending on your needs. Learn more about these two approaches in Section 3.5, “Two Methods of Profiling”.

3.4.4. Editing a Novell AppArmor Profile

The following steps describe the procedure for editing a Novell AppArmor profile. To better understand what makes up a profile, refer to Section 3.1, “Profile Components and Syntax”.

  1. If you are not currently logged in as root, enter su in a terminal window.

  2. Enter the root password when prompted.

  3. Go to the profile directory with cd /etc/apparmor.d/.

  4. Enter ls to view all profiles currently installed.

  5. Open the profile to edit in a text editor, such as vim.

  6. Make the necessary changes then save the profile.

  7. Restart Novell AppArmor by entering rcapparmor restart in a terminal window.

3.4.5. Deleting a Novell AppArmor Profile

The following steps describe the procedure for deleting a Novell AppArmor profile.

  1. If you are not currently logged in as root, enter su in a terminal window.

  2. Enter the root password when prompted.

  3. Go to the Novell AppArmor directory with cd /etc/apparmor.d/.

  4. Enter ls to view all the Novell AppArmor profiles that are currently installed.

  5. Delete the profile with rm profilename.

  6. Restart Novell AppArmor by entering rcapparmor restart in a terminal window.