This section provides a very basic understanding of
what is happening behind the scenes (and under the hood of
the YaST interface) when you run AppArmor.
An AppArmor profile is a plain text file containing path entries and access
permissions. See Section 2.1, Breaking a Novell AppArmor Profile into Its Parts for a detailed reference
profile. The directives contained in this text file are then enforced by the
AppArmor routines to quarantine the process or program.
The following tools interact in the building and enforcement of AppArmor
profiles and policies:
aa-unconfined detects any application running on your system
that listens for network connections and is not protected by an AppArmor
profile. Refer to aa-unconfined—Identifying Unprotected Processes for detailed information about
aa-autodep creates a basic skeleton of a profile that needs to be
fleshed out before it is put to productive use. The resulting profile is
loaded and put into complain mode, reporting any behavior of the
application that is not (yet) covered by AppArmor rules. Refer to aa-autodep—Creating Approximate Profiles for detailed information about this tool.
aa-genprof generates a basic profile and asks you to refine this
profile by executing the application, generating log events that
need to be taken care of by AppArmor policies. You are guided through a
series of questions to deal with the log events that have been triggered
during the application's execution. After the profile has been generated,
it is loaded and put into enforce mode. Refer to aa-genprof—Generating Profiles for detailed information about this tool.
aa-logprof interactively scans and reviews the log entries generated
by an application that is confined by an AppArmor profile in complain
mode. It assists you in generating new entries in the profile concerned.
Refer to aa-logprof—Scanning the System Log for detailed information about this
aa-complain toggles the mode of an AppArmor profile from enforce to
complain. Exceptions to rules set in a profile are logged, but the
profile is not enforced. Refer to aa-complain—Entering Complain or Learning Mode for detailed
information about this tool.
aa-enforce toggles the mode of an AppArmor profile from complain to
enforce. Exceptions to rules set in a profile are logged, but not
permitted—the profile is enforced. Refer to aa-enforce—Entering Enforce Mode for detailed information about this tool.
Once a profile has been built and is loaded, there are two ways in
which it can get processed:
In complain mode, violations of AppArmor profile rules, such as the
profiled program accessing files not permitted by the profile, are
detected. The violations are permitted, but also logged. To improve the
profile, turn complain mode on, run the program through a suite of tests
to generate log events that characterize the program's access needs, then
postprocess the log with the AppArmor tools (YaST or aa-logprof) to
transform log events into improved profiles.
In enforce mode, violations of AppArmor profile rules, such as the profiled
program accessing files not permitted by the profile, are detected. The
violations are logged and not permitted. The default is for enforce mode
to be enabled. To log the violations only, but still permit them, use
complain mode. Enforce toggles with complain mode.