3.4. Building Novell AppArmor Profiles Using the Command Line Interface

Novell AppArmor provides the ability to use a command line interface rather than the GUI to manage and configure your system security.

3.4.1. Checking the AppArmor Module Status

The AppArmor module can be in any one of three states:

Unloaded

The AppArmor module is not loaded into the kernel.

Running

The AppArmor module is loaded into the kernel and is enforcing Novell AppArmor program policies.

Stopped

The AppArmor module is loaded into the kernel, but there are no policies being enforced.

You can detect which of the three states that the AppArmor module is in by inspecting /sys/kernel/security/apparmor/profiles. If cat /sys/kernel/security/apparmor/profiles reports a list of profiles, Novell AppArmor is running. If it is empty and returns nothing, AppArmor is stopped. If the file does not exist, AppArmor is unloaded.

The AppArmor module can be loaded and unloaded with the standard Linux module commands such as modprobe, insmod, lsmod, and rmmod, but this approach is not recommended. Instead, it is recommended to manage Novell AppArmor through the script rcapparmor , which can perform the following operations:

rcapparmor start

Has different behaviors depending on the AppArmor module state. If it was unloaded, start loads the module and starts it, putting it in the running state. If it was stopped, then start causes the module to rescan the Novell AppArmor profiles usually found in /etc/apparmor.d and puts the module in the running state. If the module was already running, start reports a warning and takes no action.

rcapparmor stop

Stops AppArmor module (if it was running) by removing all profiles from kernel memory, effectively disabling all access controls, putting the module into the stopped state. If the AppArmor module was either unloaded or already stopped, stop tries to unload the profiles again, but nothing happens.

rcapparmor restart

Causes AppArmor module to rescan the profiles usually found in /etc/apparmor.d without unconfining running processes, adding new profiles, and removing any profiles that had been deleted from /etc/apparmor.d.

rcapparmor kill

Unconditionally removes the AppArmor module from the kernel. This is unsafe, because unloading modules from the Linux kernel is unsafe. This command is provided only for debugging and emergencies when the module might have to be removed.

[Note]Note

Novell AppArmor is a powerful access control system and it is possible to lock yourself out of your own machine to the point where you have to boot the machine from rescue media (such as CD 1 of SUSE Linux) to regain control.

To prevent such a problem, always ensure that you have a running, unconfined, root login on the machine being configured when you restart the AppArmor module. If you damage your system to the point where logins are no longer possible (for example, by breaking the profile associated with the SSH daemon), you can repair the damage using your running root prompt and restarting the AppArmor module.

3.4.2. Building Novell AppArmor Profiles

The AppArmor module profile definitions are stored in the directory /etc/apparmor.d/ as plain text files.

[Warning]Warning

All files in the /etc/apparmor.d/ directory are interpreted as profiles and are loaded as such. Renaming files in that directory is not an effective way of preventing profiles from being loaded. You must remove profiles from this directory to manage them effectively.

You can use a text editor, such as vim, to access and make changes to these profiles. The following options contain detailed steps for building profiles:

Use vim to view and edit your profile by typing vim at a terminal window. To enable syntax coloring when you edit a Novell AppArmor profile in vim, use the commands :syntax on then :set syntax=apparmor. For more information about vim and syntax coloring, refer to Section 3.5.3.8, “apparmor.vim” (↑Novell AppArmor 2.0 Administration Guide).

[Note]Note

After making changes to a profile, use the rcapparmor restart command, described in the previous section. This command causes the Novell AppArmor to reread the profiles. For a detailed description of the syntax of these files, refer to Chapter 3, Building Novell AppArmor Profiles (↑Novell AppArmor 2.0 Administration Guide).

3.4.3. Adding or Creating a Novell AppArmor Profile

To add or ceate a Novell AppArmor profile for an application, you can use a systemic or stand-alone profiling method, depending on your needs.

Stand-Alone Profiling

Suitable for profiling small applications that have a finite run time, such as user client applications like mail clients. Refer to Section 3.5.1, “Stand-Alone Profiling” (↑Novell AppArmor 2.0 Administration Guide).

Systemic Profiling

Suitable for profiling large numbers of programs all at once and for profiling applications that might run for days, weeks, or continuously across reboots, such as network server applications like Web servers and mail servers. Section 3.5.2, “Systemic Profiling” (↑Novell AppArmor 2.0 Administration Guide).

3.4.4. Editing a Novell AppArmor Profile

The following steps describe the procedure for editing a Novell AppArmor profile. To better understand what makes up a profile, refer to Section 3.1, “Profile Components and Syntax” (↑Novell AppArmor 2.0 Administration Guide).

  1. If you are not currently signed in as root, type su in a terminal window.

  2. Enter the root password when prompted.

  3. To go to the directory, enter cd /etc/apparmor.d/.

  4. Enter ls to view all profiles currently installed.

  5. Open the profile to edit in a text editor, such as vim.

  6. Make the necessary changes, then save the profile.

  7. Restart Novell AppArmor by entering rcapparmor restart in a terminal window.

3.4.5. Deleting a Novell AppArmor Profile

The following steps describe the procedure for deleting a Novell AppArmor profile.

  1. If you are not currently signed in as root, enter su in a terminal window.

  2. Enter the root password when prompted.

  3. To go to the Novell AppArmor directory, enter cd /etc/apparmor.d/.

  4. Enter ls to view all the Novell AppArmor profiles that are currently installed.

  5. Delete the profile exiting profile with rm profilename.

  6. Restart Novell AppArmor by entering rcapparmor restart in a terminal window.