| openSUSE-Dokumentation Novell AppArmor 2.0 Administration Guide / Kapitel 4. Building Profiles via the Command Line | ||||
|---|---|---|---|---|
 | 3.6. Managing Novell AppArmor and Security Event Status | 4.2. Building Novell AppArmor Profiles |  | |
| openSUSE-Dokumentation Novell AppArmor 2.0 Administration Guide / Kapitel 4. Building Profiles via the Command Line | ||||
|---|---|---|---|---|
| 3.6. Managing Novell AppArmor and Security Event Status | 4.2. Building Novell AppArmor Profiles | | |
Inhaltsverzeichnis
Novell® AppArmor provides the ability to use a command line interface rather than a graphical interface to manage and configure your system security. Track the status of Novell AppArmor, create, delete or modify Novell AppArmor profiles using the Novell AppArmor command line tools.
![[Tip]](admon/tip.png) | For More Information |
|---|---|
Before starting to manage your profiles using the AppArmor command line tools, check out the general introduction to AppArmor given in Kapitel 1, Immunizing Programs and Kapitel 2, Profile Components and Syntax. | |
The AppArmor module can be in any one of three states:
The AppArmor module is not loaded into the kernel.
The AppArmor module is loaded into the kernel and is enforcing Novell AppArmor program policies.
The AppArmor module is loaded into the kernel, but no policies are enforced.
Detect the state of the AppArmor module by inspecting
/sys/kernel/security/apparmor/profiles. If
cat /sys/kernel/security/apparmor/profiles reports a
list of profiles, Novell AppArmor is running. If it is empty and returns nothing,
AppArmor is stopped. If the file does not exist, AppArmor is unloaded.
You can load and unload the AppArmor module with the standard Linux module
commands,
such as modprobe, insmod,
lsmod, and rmmod, but this approach
is not recommended. Instead, it is recommended to manage Novell AppArmor through the
script rcapparmor, which can perform the following
operations:
Behavior depends on the AppArmor module state. If it was unloaded,
start loads the module and starts it, putting it in the
running state. If it was stopped, start causes the
module to rescan the Novell AppArmor profiles usually found in
/etc/apparmor.d and puts the module in the running
state. If the module was already running, start reports
a warning and takes no action.
Stops the AppArmor module if it was running by removing all profiles
from kernel memory, effectively disabling all access controls, putting
the module into the stopped state. If the AppArmor module was either
unloaded or already stopped, stop tries to unload
the profiles again, but nothing happens.
Causes AppArmor module to rescan the profiles in
/etc/apparmor.d without unconfining running
processes. Freshly created profiles are enforced and recently
deleted ones are removed from the
/etc/apparmor.d directory.
Unconditionally removes the AppArmor module from the kernel. This is unsafe, because unloading modules from the Linux kernel is unsafe. This command is provided only for debugging and emergencies when the module might have to be removed.
![[Warning]](admon/warning.png) | Warnung |
|---|---|
Novell AppArmor is a powerful access control system and it is possible to lock yourself out of your own machine to the point where you have to boot the machine from a rescue medium (such as CD 1 of openSUSE) to regain control. To prevent such a problem, always ensure that you have a running,
unconfined, | |
