Hello, Am Donnerstag, 30. November 2017, 08:53:34 CET schrieb Simon Becherer:
thanks for info, did not work, is still there, but i got it this way:
I'm afraid the documentation is slightly outdated in this detail. In the past, "rcapparmor reload" indeed unloaded profiles that no longer in /etc/apparmor.d/. However, this also caused unloading of automatically generated LXD profiles, which resulted on removing the AppArmor confinement from those processes. (See https://bugzilla.opensuse.org/show_bug.cgi?id=1029696 for details.) Therefore the behaviour of "rcapparmor reload" was changed - it no longer unloads "unknown" profiles (where "unknown" means profiles that don't exist in /etc/apparmor.d) To unload all "unknown" profiles (including automatically generated LXD profiles!) you can use the new aa-remove-unknown tool. aa-remove-unknown -n does a "dry run" and lists the profiles that would be unloaded, and calling aa-remove-unknown without parameters will really unload "unknown" profiles.
1) ln -s /etc/apparmor.d/usr.bin.mywongsoftwarename /etc/apparmor.d/disable/ 2) apparmor_parser -R /etc/apparmor.d/usr.bin.mywongsoftwarename (this line gave me a warning message i do not know if id do anithing, found somewhere in google) 3) i stopped appamor in yast. 4) delete /var/lib/apparmor/cache/usr.bin.mywongsoftwarename 5) delete /etc/apparmor.d/usr.bin.mywongsoftwarename 6) starting appamor in yast.
You did too much here, and possibly now have applications running unconfined. Stopping AppArmor will remove confinement from running processes, and starting AppArmor can't (re)confine already running processes. Check the aa-status output, and restart all processes that are listed as "unconfined but have a profile defined" to confine them again. If you really want to unload and delete a single profile, the needed steps are: 1) apparmor_parser -R /etc/apparmor.d/whatever 2) rm /etc/apparmor.d/whatever 3) rm /var/lib/apparmor/cache/whatever Step 3 "only" frees a little bit of disk space - if you don't delete the cache file, it won't hurt ;-) Another option is to use aa-disable /etc/apparmor.d/whatever This will unload the profile and create a symlink in /etc/apparmor.d/disable/ BTW: I pasted most of this mail into a documentation bugreport: https://bugzilla.opensuse.org/show_bug.cgi?id=1070674 Regards, Christian Boltz -- Ein Computer tut ja das, was man ihm "sagt", und nicht das, was man will. Ergo muß man wissen, wie man ihm sagt, was man will. [Stefan G. Weichinger in postfixbuch-users] -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org