This section provides a very basic understanding of
what is happening behind the scenes
(and under the hood of
the YaST interface) when you run AppArmor.
An AppArmor profile is a plain text file containing path entries and access permissions. See Section 2.1, Breaking a Novell AppArmor Profile into Its Parts for a detailed reference profile. The directives contained in this text file are then enforced by the AppArmor routines to quarantine the process or program.
The following tools interact in the building and enforcement of AppArmor profiles and policies:
aa-unconfined detects any application running on your system that listens for network connections and is not protected by an AppArmor profile. Refer to aa-unconfined—Identifying Unprotected Processes for detailed information about this tool.
aa-autodep creates a basic skeleton of a profile that needs to be fleshed out before it is put to productive use. The resulting profile is loaded and put into complain mode, reporting any behavior of the application that is not (yet) covered by AppArmor rules. Refer to aa-autodep—Creating Approximate Profiles for detailed information about this tool.
aa-genprof generates a basic profile and asks you to refine this profile by executing the application, generating log events that need to be taken care of by AppArmor policies. You are guided through a series of questions to deal with the log events that have been triggered during the application's execution. After the profile has been generated, it is loaded and put into enforce mode. Refer to aa-genprof—Generating Profiles for detailed information about this tool.
aa-logprof interactively scans and reviews the log entries generated by an application that is confined by an AppArmor profile in complain mode. It assists you in generating new entries in the profile concerned. Refer to aa-logprof—Scanning the System Log for detailed information about this tool.
aa-complain toggles the mode of an AppArmor profile from enforce to complain. Exceptions to rules set in a profile are logged, but the profile is not enforced. Refer to aa-complain—Entering Complain or Learning Mode for detailed information about this tool.
aa-enforce toggles the mode of an AppArmor profile from complain to enforce. Exceptions to rules set in a profile are logged, but not permitted—the profile is enforced. Refer to aa-enforce—Entering Enforce Mode for detailed information about this tool.
Once a profile has been built and is loaded, there are two ways in which it can get processed:
In complain mode, violations of AppArmor profile rules, such as the profiled program accessing files not permitted by the profile, are detected. The violations are permitted, but also logged. To improve the profile, turn complain mode on, run the program through a suite of tests to generate log events that characterize the program's access needs, then postprocess the log with the AppArmor tools (YaST or aa-logprof) to transform log events into improved profiles.
In enforce mode, violations of AppArmor profile rules, such as the profiled program accessing files not permitted by the profile, are detected. The violations are logged and not permitted. The default is for enforce mode to be enabled. To log the violations only, but still permit them, use complain mode. Enforce toggles with complain mode.