Contents
NovellŪ AppArmor provides the ability to use a command line interface rather than a graphical interface to manage and configure your system security. Track the status of Novell AppArmor and create, delete, or modify AppArmor profiles using the AppArmor command line tools.
Background Information | |
---|---|
Before starting to manage your profiles using the AppArmor command line tools, check out the general introduction to AppArmor given in Chapter 1, Immunizing Programs and Chapter 2, Profile Components and Syntax. |
An AppArmor module can be in any one of three states:
The AppArmor module is not loaded into the kernel.
The AppArmor module is loaded into the kernel and is enforcing AppArmor program policies.
The AppArmor module is loaded into the kernel, but no policies are enforced.
Detect the state of the AppArmor module by inspecting
/sys/kernel/security/apparmor/profiles
. If
cat /sys/kernel/security/apparmor/profiles reports a
list of profiles, AppArmor is running. If it is empty and returns nothing,
AppArmor is stopped. If the file does not exist, AppArmor is unloaded.
Manage AppArmor through the script rcapparmor
, which can
perform the following operations:
Behavior depends on the AppArmor module state. If it is unloaded,
start
loads the module and starts it, putting it in
the running state. If it is stopped, start
causes the
module to rescan the AppArmor profiles usually found in
/etc/apparmor.d
and puts the module in the
running state. If the module is already running,
start
reports a warning and takes no action.
Stops the AppArmor module if it is running by removing all profiles from
kernel memory, effectively disabling all access controls, and putting
the module into the stopped state. If the AppArmor module is unloaded or
already stopped, stop
tries to unload the profiles
again, but nothing happens.
Causes the AppArmor module to rescan the profiles in
/etc/apparmor.d
without unconfining running
processes. Freshly created profiles are enforced and recently deleted
ones are removed from the /etc/apparmor.d
directory.
Unconditionally removes the AppArmor module from the kernel. This is unsafe, because unloading modules from the Linux kernel is unsafe. This command is provided only for debugging and emergencies when the module might need to be removed.
AppArmor is a powerful access control system and it is possible to lock yourself out of your own machine to the point where you must boot the machine from a rescue medium (such as the first medium of openSUSE) to regain control.
To prevent such a problem, always ensure that you have a running,
unconfined, |