Novell AppArmor (2.3.1) Quick Start
This document helps you understand the main concepts behind Novell® AppArmor—the content of AppArmor
profiles. Learn how to create or modify AppArmor profiles. You can create and manage AppArmor profiles in
three different ways. The most convenient interface to AppArmor is provided by means of the AppArmor YaST
modules which can be used either in graphical or ncurses mode. The same functionality is provided by the
AppArmor command line tools or if you just edit the profiles in a text editor.
AppArmor Modes
complain/learning
In complain or learning mode, violations of AppArmor
profile rules, such as the profiled program accessing files
not permitted by the profile, are detected. The violations
are permitted, but also logged. This mode is convenient
for developing profiles and is used by the AppArmor
tools for generating profiles.
enforce
Loading a profile in enforcement mode enforces the
policy defined in the profile as well as reports policy vi-
olation attempts to syslogd.
Starting and Stopping AppArmor
Use the rcapparmor command with one of the following
parameters:
start
Load the kernel module, mount securityfs, parse and
load profiles. Profiles and confinement are applied to
any application started after this command was executed.
Processes already running at the time AppArmor is
started continue to run unconfined.
stop
Unmount securityfs, and invalidate profiles.
reload
Reload profiles.
status
If AppArmor is enabled, output how many profiles are
loaded in complain or enforce mode.
Use the rcaaeventd command to control event logging
with aa-eventd. Use the start and stop options to toggle
the status of the aa-eventd and check its status using the
status.
AppArmor Command Line Tools
autodep
Guess basic AppArmor profile requirements. autodep
creates a stub profile for the program or application
examined. The resulting profile is called "approximate"
because it does not necessarily contain all of the profile
entries that the program needs to be confined properly.
complain
Set an AppArmor profile to complain mode.
Manually activating complain mode (using the command
line) adds a flag to the top of the profile so that
/bin/foo becomes /bin/foo flags=(complain).
enforce
Set an AppArmor profile to enforce mode from complain
mode.
1
NOVELL® QUICK START CARD