AppArmor is a MAC system that plays a role similar to SELinux in that it provides a context-based permission model. This section describes the key components of AppArmor that might be tested on the Linux+ exam.
An AppArmor profile is a rule set that describes how AppArmor should restrict a process. It is possible to disable a profile for a specific profile by using the aa-disable command. Another technique that is commonly used is showed in the following example:
root@localhost:~# ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/ apparmor.d/disable root@localhost:~# apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld
If you need to troubleshoot an AppArmor profile, it is best to put it into complain mode. In this mode, no restrictions are enforced, but any problems will be reported.
Use the aa-complain command to put a profile into complain mode:
root@localhost:~# aa-complain /usr/sbin/mysqld Setting /usr/sbin/mysqld to complain mode.
To put the profile back into enforcing mode, use the following command:
root@localhost:~# sudo aa-enforce /usr/sbin/mysqld Setting /usr/sbin/mysqld to enforce mode
Use the aa-unconfined command to list processes that are not restricted by the AppArmor profiles.
The /etc/apparmor.d directory is the location of the definitions of the AppArmor profiles. Knowing how to create or read these files is beyond the scope of the Linux+ exam, but it is important to know the locations of these profiles in order to determine which profiles are available and to use the AppArmor commands, such as the aa-disable command.
The /etc/apparmor.d/tunables directory holds files that can be used to fine-tune the behavior of AppArmor. Knowing how to create or read these files is beyond the scope of the Linux+ exam.