Chapter 25. Confining Users with pam_apparmor

An AppArmor profile applies to an executable program; if a portion of the program needs different access permissions than other portions need, the program can change hats via change_hat to a different role, also known as a subprofile. The pam_apparmor PAM module allows applications to confine authenticated users into subprofiles based on group names, user names, or a default profile. To accomplish this, pam_apparmor needs to be registered as a PAM session module.

The package pam_apparmor may not installed by default, you may need to install it using YaST or zypper. Details about how to set up and configure pam_apparmor can be found in /usr/share/doc/packages/pam_apparmor/README after the package has been installed. For details on PAM, refer to Chapter 2, Authentication with PAM.

pam_apparmor allows you to set up role-based access control (RBAC). In conjunction with the set capabilities rules (see Section 20.11, “Setting Capabilities per Profile” for more information), it allows you to map restricted admin profiles to users. A detailed HOWTO on setting up RBAC with AppArmor is available at http://developer.novell.com/wiki/index.php/Apparmor_RBAC_in_version_2.3.