http://bugzilla.opensuse.org/show_bug.cgi?id=1070674 Bug ID: 1070674 Summary: [doc] "Deleting an AppArmor Profile" needs an update Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Documentation Assignee: fs@suse.com Reporter: suse-beta@cboltz.de QA Contact: fs@suse.com Found By: --- Blocker: --- 24.5 Deleting an <span class="phrase">AppArmor</span> Profile https://doc.opensuse.org/documentation/leap/security/html/book.security/cha.... This section is outdated since bug 1029696 ;-) I'm just writing this to the opensuse@ mailinglist and will paste the relevant parts of the mail here so that you can update the documentation. Note that LXD is the case I know, but I wouldn't be surprised if other tools (libvirt? docker?) also autogenerate profiles that are affected by this. In the past, "rcapparmor reload" indeed unloaded profiles that no longer in /etc/apparmor.d/. However, this also caused unloading of automatically generated LXD profiles, which resulted on removing the AppArmor confinement from those processes. (See https://bugzilla.opensuse.org/show_bug.cgi?id=1029696 for details.) Therefore the behaviour of "rcapparmor reload" was changed - it no longer unloads "unknown" profiles (where "unknown" means profiles that don't exist in /etc/apparmor.d) To unload all "unknown" profiles (including automatically generated LXD profiles!) you can use the new aa-remove-unknown tool. aa-remove-unknown -n does a "dry run" and lists the profiles that would be unloaded, and calling aa-remove-unknown without parameters will really unload "unknown" profiles. If you really want to unload and delete a single profile, the needed steps are: 1) apparmor_parser -R /etc/apparmor.d/whatever 2) rm /etc/apparmor.d/whatever 3) rm /var/lib/apparmor/cache/whatever Step 3 "only" frees a little bit of disk space - if you don't delete the cache file, it won't hurt ;-) Another option is to use aa-disable /etc/apparmor.d/whatever This will unload the profile and create a symlink in /etc/apparmor.d/disable/ -- You are receiving this mail because: You are on the CC list for the bug.