| 3.4. Building Novell AppArmor Profiles Using the Command Line Interface | ||
|---|---|---|
 | Chapter 3. Building Novell AppArmor Profiles |  |
| 3.4. Building Novell AppArmor Profiles Using the Command Line Interface | ||
|---|---|---|
| | Chapter 3. Building Novell AppArmor Profiles | |
Novell AppArmor provides the ability to use a command line interface rather than the GUI to manage and configure your system security.
The AppArmor module can be in any one of three states:
The AppArmor module is not loaded into the kernel.
The AppArmor module is loaded into the kernel and is enforcing Novell AppArmor program policies.
The AppArmor module is loaded into the kernel, but there are no policies being enforced.
You can detect which of the three states that the AppArmor module is in by
inspecting /sys/kernel/security/apparmor/profiles. If
cat /sys/kernel/security/apparmor/profiles reports a
list of profiles, Novell AppArmor is running. If it is empty and returns nothing,
AppArmor is stopped. If the file does not exist, AppArmor is unloaded.
The AppArmor module can be loaded and unloaded with the standard Linux
module commands such as modprobe,
insmod, lsmod, and
rmmod, but this approach is not recommended. Instead, it
is recommended to manage Novell AppArmor through the script
rcapparmor , which can perform the
following operations:
Has different behaviors depending on the AppArmor module state. If it
was unloaded, start loads the module and starts
it, putting it in the running state. If it was stopped, then
start causes the module to rescan the Novell AppArmor profiles
usually found in /etc/apparmor.d and puts the
module in the running state. If the module was already running,
start reports a warning and takes no action.
Stops AppArmor module (if it was running) by removing all profiles
from kernel memory, effectively disabling all access controls, putting
the module into the stopped state. If the AppArmor module was either
unloaded or already stopped, stop tries to unload
the profiles again, but nothing happens.
Causes AppArmor module to rescan the profiles usually found in
/etc/apparmor.d without unconfining running
processes, adding new profiles, and removing any profiles that had been
deleted from /etc/apparmor.d.
Unconditionally removes the AppArmor module from the kernel. This is unsafe, because unloading modules from the Linux kernel is unsafe. This command is provided only for debugging and emergencies when the module might have to be removed.
![[Note]](admon/note.png) | Note |
|---|---|
Novell AppArmor is a powerful access control system and it is possible to lock yourself out of your own machine to the point where you have to boot the machine from rescue media (such as CD 1 of SUSE Linux) to regain control. To prevent such a problem, always ensure that you have a running, unconfined, root login on the machine being configured when you restart the AppArmor module. If you damage your system to the point where logins are no longer possible (for example, by breaking the profile associated with the SSH daemon), you can repair the damage using your running root prompt and restarting the AppArmor module. | |
The AppArmor module profile definitions are stored in the directory
/etc/apparmor.d/ as plain text files.
![[Warning]](admon/warning.png) | Warning |
|---|---|
All files in the | |
You can use a text editor, such as vim, to access and make changes to these profiles. The following options contain detailed steps for building profiles:
Refer to Section 3.4.3, “Adding or Creating a Novell AppArmor Profile” (↑Novell AppArmor 2.0 Administration Guide)
Refer to Section 3.4.4, “Editing a Novell AppArmor Profile” (↑Novell AppArmor 2.0 Administration Guide)
Refer to Section 3.4.5, “Deleting a Novell AppArmor Profile” (↑Novell AppArmor 2.0 Administration Guide)
Use vim to view and edit your profile by typing vim at a terminal window. To enable syntax coloring when you edit a Novell AppArmor profile in vim, use the commands :syntax on then :set syntax=apparmor. For more information about vim and syntax coloring, refer to Section 3.5.3.8, “apparmor.vim” (↑Novell AppArmor 2.0 Administration Guide).
| Note |
|---|---|
After making changes to a profile, use the rcapparmor restart command, described in the previous section. This command causes the Novell AppArmor to reread the profiles. For a detailed description of the syntax of these files, refer to Chapter 3, Building Novell AppArmor Profiles (↑Novell AppArmor 2.0 Administration Guide). | |
To add or ceate a Novell AppArmor profile for an application, you can use a systemic or stand-alone profiling method, depending on your needs.
Suitable for profiling small applications that have a finite run time, such as user client applications like mail clients. Refer to Section 3.5.1, “Stand-Alone Profiling” (↑Novell AppArmor 2.0 Administration Guide).
Suitable for profiling large numbers of programs all at once and for profiling applications that might run for days, weeks, or continuously across reboots, such as network server applications like Web servers and mail servers. Section 3.5.2, “Systemic Profiling” (↑Novell AppArmor 2.0 Administration Guide).
The following steps describe the procedure for editing a Novell AppArmor profile. To better understand what makes up a profile, refer to Section 3.1, “Profile Components and Syntax” (↑Novell AppArmor 2.0 Administration Guide).
If you are not currently signed in as root, type su in a terminal window.
Enter the root password when prompted.
To go to the directory, enter cd /etc/apparmor.d/.
Enter ls to view all profiles currently installed.
Open the profile to edit in a text editor, such as vim.
Make the necessary changes, then save the profile.
Restart Novell AppArmor by entering rcapparmor restart in a terminal window.
The following steps describe the procedure for deleting a Novell AppArmor profile.
If you are not currently signed in as root, enter su in a terminal window.
Enter the root password when prompted.
To go to the Novell AppArmor directory, enter cd /etc/apparmor.d/.
Enter ls to view all the Novell AppArmor profiles that are currently installed.
Delete the profile exiting profile with rm
profilename.
Restart Novell AppArmor by entering rcapparmor restart in a terminal window.
| |  | |
| 3.3. Building Novell AppArmor Profiles with the YaST GUI |  | 3.5. Two Methods of Profiling |