Mailinglist Archive: opensuse (795 mails)

< Previous Next >
Re: [opensuse] deleting appamor-profile in yast?

Am Donnerstag, 30. November 2017, 08:53:34 CET schrieb Simon Becherer:
thanks for info, did not work, is still there, but i got it this way:

I'm afraid the documentation is slightly outdated in this detail.

In the past, "rcapparmor reload" indeed unloaded profiles that no longer
in /etc/apparmor.d/. However, this also caused unloading of
automatically generated LXD profiles, which resulted on removing the
AppArmor confinement from those processes. (See for details.)

Therefore the behaviour of "rcapparmor reload" was changed - it no
longer unloads "unknown" profiles (where "unknown" means profiles that
don't exist in /etc/apparmor.d)

To unload all "unknown" profiles (including automatically generated LXD
profiles!) you can use the new aa-remove-unknown tool.

aa-remove-unknown -n does a "dry run" and lists the profiles that
would be unloaded, and calling aa-remove-unknown without parameters will
really unload "unknown" profiles.

1) ln -s /etc/apparmor.d/usr.bin.mywongsoftwarename
2) apparmor_parser -R /etc/apparmor.d/usr.bin.mywongsoftwarename
(this line gave me a warning message i do not know if id do anithing,
found somewhere in google)
3) i stopped appamor in yast.
4) delete /var/lib/apparmor/cache/usr.bin.mywongsoftwarename
5) delete /etc/apparmor.d/usr.bin.mywongsoftwarename
6) starting appamor in yast.

You did too much here, and possibly now have applications running
unconfined. Stopping AppArmor will remove confinement from running
processes, and starting AppArmor can't (re)confine already running
processes. Check the aa-status output, and restart all processes
that are listed as "unconfined but have a profile defined" to confine
them again.

If you really want to unload and delete a single profile, the needed
steps are:

1) apparmor_parser -R /etc/apparmor.d/whatever
2) rm /etc/apparmor.d/whatever
3) rm /var/lib/apparmor/cache/whatever

Step 3 "only" frees a little bit of disk space - if you don't delete the
cache file, it won't hurt ;-)

Another option is to use aa-disable /etc/apparmor.d/whatever
This will unload the profile and create a symlink in

BTW: I pasted most of this mail into a documentation bugreport:


Christian Boltz
Ein Computer tut ja das, was man ihm "sagt", und nicht das, was
man will. Ergo muß man wissen, wie man ihm sagt, was man will.
[Stefan G. Weichinger in postfixbuch-users]

To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >