Novell AppArmor provides the ability to use a command line interface rather than a GUI to manage and configure your system security.
The AppArmor module can be in any one of three states:
The AppArmor module is not loaded into the kernel.
The AppArmor module is loaded into the kernel and is enforcing Novell AppArmor program policies.
The AppArmor module is loaded into the kernel, but no policies are enforced.
Detect the state of the AppArmor module by inspecting
/sys/kernel/security/apparmor/profiles
. If
cat /sys/kernel/security/apparmor/profiles reports a
list of profiles, Novell AppArmor is running. If it is empty and returns nothing,
AppArmor is stopped. If the file does not exist, AppArmor is unloaded.
You can load and unload the AppArmor module with the standard Linux module
commands,
such as modprobe, insmod,
lsmod, and rmmod, but this approach
is not recommended. Instead, it is recommended to manage Novell AppArmor through the
script rcapparmor
, which can perform the following
operations:
Behavior depends on the AppArmor module state. If it was unloaded,
start
loads the module and starts it, putting it in the
running state. If it was stopped, start
causes the
module to rescan the Novell AppArmor profiles usually found in
/etc/apparmor.d
and puts the module in the running
state. If the module was already running, start
reports
a warning and takes no action.
Stops the AppArmor module if it was running by removing all profiles
from kernel memory, effectively disabling all access controls, putting
the module into the stopped state. If the AppArmor module was either
unloaded or already stopped, stop
tries to unload
the profiles again, but nothing happens.
Causes AppArmor module to rescan the profiles in
/etc/apparmor.d
without unconfining running
processes. Freshly created profiles are enforced and recently
deleted ones are removed from the
/etc/apparmor.d
directory.
Unconditionally removes the AppArmor module from the kernel. This is unsafe, because unloading modules from the Linux kernel is unsafe. This command is provided only for debugging and emergencies when the module might have to be removed.
![]() | Important |
---|---|
Novell AppArmor is a powerful access control system and it is possible to lock yourself out of your own machine to the point where you have to boot the machine from a rescue medium (such as CD 1 of SUSE Linux) to regain control. To prevent such a problem, always ensure that you have a running,
unconfined, |
The AppArmor module profile definitions are stored in the
/etc/apparmor.d
directory as plain text files.
![]() | Warning |
---|---|
All files in the |
You can use a text editor, such as vim, to access and make changes to these profiles. The following options contain detailed steps for building profiles:
Refer to Section 3.4.3, “Adding or Creating a Novell AppArmor Profile”
Refer to Section 3.4.5, “Deleting a Novell AppArmor Profile”
![]() | Note |
---|---|
After making changes to a profile, use the rcapparmor restart command, described in the previous section. This command causes AppArmor to reread the profiles. For a detailed description of the syntax of these files, refer to Chapter 3, Building Novell AppArmor Profiles. |
To add or create a Novell AppArmor profile for an application, you can use a systemic or stand-alone profiling method, depending on your needs. Learn more about these two approaches in Section 3.5, “Two Methods of Profiling”.
The following steps describe the procedure for editing a Novell AppArmor profile. To better understand what makes up a profile, refer to Section 3.1, “Profile Components and Syntax”.
If you are not currently logged in as root
, enter
su in a terminal window.
Enter the root
password when prompted.
Go to the profile directory with cd /etc/apparmor.d/.
Enter ls to view all profiles currently installed.
Open the profile to edit in a text editor, such as vim.
Make the necessary changes then save the profile.
Restart Novell AppArmor by entering rcapparmor restart in a terminal window.
The following steps describe the procedure for deleting a Novell AppArmor profile.
If you are not currently logged in as root
, enter
su in a terminal window.
Enter the root
password when prompted.
Go to the Novell AppArmor directory with cd /etc/apparmor.d/.
Enter ls to view all the Novell AppArmor profiles that are currently installed.
Delete the profile with rm
profilename
.
Restart Novell AppArmor by entering rcapparmor restart in a terminal window.