Building Apparmor Profiles - Novell LINUX ENTERPRISE SERVER 11 - SECURITY Manual

WARNING
AppArmor is a powerful access control system and it is possible to lock
yourself out of your own machine to the point where you must boot the
machine from a rescue medium (such as the first medium of SUSE Linux
Enterprise Server) to regain control.
To prevent such a problem, always ensure that you have a running, uncon-
fined, root login on the machine being configured when you restart the
AppArmor module. If you damage your system to the point where logins
are no longer possible (for example, by breaking the profile associated
with the SSH daemon), you can repair the damage using your running root
prompt then restart the AppArmor module.

24.2 Building AppArmor Profiles

The AppArmor module profile definitions are stored in the /etc/apparmor.d di-
rectory as plain text files. For a detailed description of the syntax of these files, refer
to Chapter 21, Profile Components and Syntax
All files in the /etc/apparmor.d directory are interpreted as profiles and are
loaded as such. Renaming files in that directory is not an effective way of preventing
profiles from being loaded. You must remove profiles from this directory to prevent
them from being read and evaluated effectively.
You can use a text editor, such as vim, to access and make changes to these profiles.
The following options contain detailed steps for building profiles:
Adding or Creating AppArmor Profiles
Refer to Section 24.3, "Adding or Creating an AppArmor Profile"
Editing AppArmor Profiles
Refer to Section 24.4, "Editing an AppArmor Profile"
Deleting AppArmor Profiles
Refer to Section 24.5, "Deleting an AppArmor Profile"
(page 237).
(page 290)
(page 290)
Building Profiles from the Command Line
(page 290)
289