openSUSE:Bugreport AppArmor

Jump to: navigation, search

By default, AppArmor comes with several security profiles pre-defined and turned on by default. While many users will never experience difficulties with the security policies shipped with SUSE Linux, it is inevitable that some users will configure their systems differently than we've been able to test ourselves -- some of these configuration differences will require updating policy to allow the programs to run.

Updating a profile

You may use the aa-complain program to immediately place the profile into "learning mode". This step is not strictly necessary, but will restore machine functionality quickly. Running "aa-complain /etc/apparmor.d/*" will immediately place all your profiles into learning mode which may be useful if your configuration is drastically different from what our profiles were designed to allow.

Warning: Complain/learning mode means AppArmor does not restrict the operations of the program. It "only" logs what the program does.

When you have finished your profile updates, use aa-enforce to switch back your profiles to enforce mode.

You can use the aa-logprof program to update your security policy; either run aa-logprof as root in a terminal or use the YaST2 AppArmor / Update Profile Wizard interface. You will be asked a series of questions; each question is asking for access to a specific file by a specific program. You will be given a choice of allowing access to a specific file, using a shell-style glob to grant access, automatically #including some predefined policy chunks (known as 'abstractions'), or denying the access.

Reporting your profile updates

After you've completed the aa-logprof process, please consider filing a bugreport (Product: openSUSE x.y, Component: AppArmor); if you've experienced a problem with insufficient policy, it is likely other users will experience the same problem, and would benefit from your experience.

In order to make the best possible decisions for users, we ask for a few specific pieces of information in AppArmor policy bug reports:

  • REJECTING or PERMITTING messages from /var/log/audit/audit.log (or /var/log/messages, if auditd isn't running.)
  • optional: the profile changes (however the REJECTING or PERMITTING log messages are more important)
  • A quick description of how the programs were configured
  • A quick description of the action(s) that most immediately led to the rejection messages

See also AppArmor's Contribute page.