Novell® AppArmor provides the ability to use a command line interface rather than a graphical interface to manage and configure your system security. Track the status of Novell AppArmor and create, delete, or modify AppArmor profiles using the AppArmor command line tools.
Before starting to manage your profiles using the AppArmor command line tools, check out the general introduction to AppArmor given in Kapitel 1, Immunizing Programs and Kapitel 2, Profile Components and Syntax.
An AppArmor module can be in any one of three states:
The AppArmor module is not loaded into the kernel.
The AppArmor module is loaded into the kernel and is enforcing AppArmor program policies.
The AppArmor module is loaded into the kernel, but no policies are enforced.
Detect the state of the AppArmor module by inspecting
cat /sys/kernel/security/apparmor/profiles reports a
list of profiles, AppArmor is running. If it is empty and returns nothing,
AppArmor is stopped. If the file does not exist, AppArmor is unloaded.
Manage AppArmor through the script
rcapparmor, which can
perform the following operations:
Behavior depends on the AppArmor module state. If it is unloaded,
start loads the module and starts it, putting it in the
running state. If it is stopped,
start causes the
module to rescan the AppArmor profiles usually found in
/etc/apparmor.d and puts the module in the running
state. If the module is already running,
a warning and takes no action.
Stops the AppArmor module if it is running by removing all profiles
from kernel memory, effectively disabling all access controls, and
the module into the stopped state. If the AppArmor module is
unloaded or already stopped,
stop tries to unload
the profiles again, but nothing happens.
Causes the AppArmor module to rescan the profiles in
/etc/apparmor.d without unconfining running
processes. Freshly created profiles are enforced and recently
deleted ones are removed from the
Unconditionally removes the AppArmor module from the kernel. This is unsafe, because unloading modules from the Linux kernel is unsafe. This command is provided only for debugging and emergencies when the module might need to be removed.
AppArmor is a powerful access control system and it is possible to lock yourself out of your own machine to the point where you must boot the machine from a rescue medium (such as the first medium of openSUSE) to regain control.
To prevent such a problem, always ensure that you have a running,