Novell AppArmor on openSUSE ships with a preconfigured set of profiles for the most important applications. In addition, you can use AppArmor to create your own profiles for any application you want.
There are two ways of managing profiles. One is to use the graphical front-end provided by the YaST Novell AppArmor modules and the other is to use the command line tools provided by the AppArmor suite itself. Both methods basically work the same way.
For each application, perform the following steps to create a profile:
As root
, let AppArmor create a rough outline of the application's
profile by running aa-genprof
programname
or
Outline the basic profile by running
+ + and specifying the complete path to the application you want to profile.A basic profile is outlined and AppArmor is put into learning mode, which means that it logs any activity of the program you are executing, but does not yet restrict it.
Run the full range of the application's actions to let AppArmor get a very specific picture of its activities.
Let AppArmor analyze the log files generated in Step 2 by typing S in aa-genprof.
or
Analyze the logs by clicking
in the and following the instructions given in the wizard until the profile is completed.AppArmor scans the logs it recorded during the application's run and asks you to set the access rights for each event that was logged. Either set them for each file or use globbing.
Depending on the complexity of your application, it might be necessary to repeat Step 2 and Step 3. Confine the application, exercise it under the confined conditions, and process any new log events. To properly confine the full range of an application's capabilities, you might be required to repeat this procedure often.
Once all access permissions are set, your profile is set to enforce mode. The profile is applied and AppArmor restricts the application according to the profile just created.
If you started aa-genprof on an application that had an existing profile that was in complain mode, this profile remains in learning mode upon exit of this learning cycle. For more information about changing the mode of a profile, refer to Section 23.6.3.2, “aa-complain—Entering Complain or Learning Mode” and Section 23.6.3.3, “aa-enforce—Entering Enforce Mode”.
Test your profile settings by performing every task you need with the application you just confined. Normally, the confined program runs smoothly and you do not notice AppArmor activities at all. However, if you notice certain misbehavior with your application, check the system logs and see if AppArmor is too tightly confining your application. Depending on the log mechanism used on your system, there are several places to look for AppArmor log entries:
/var/log/audit/audit.log
|
/var/log/messages
|
dmesg
|
To adjust the profile, analyze the log messages relating to this application again as described in Step 3. Determine the access rights or restrictions when prompted.
![]() | For More Information |
---|---|
For more information about profile building and modification, refer to Chapter 20, Profile Components and Syntax, Chapter 22, Building and Managing Profiles with YaST, and Chapter 23, Building Profiles from the Command Line. |