[opensuse] deleting appamor-profile in yast?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, how to delete in tumbleweed a app armor profile, wrongly insert in yast modul-apparmor? i do not see something to delet a profile inside yast-appamor.... simoN - -- B e c h e r e r GmbH Sondermaschinenbau Mauermatten Strasse 22 79183 Waldkirch Germany Tel.: (+49) (0)7681 3134 Fax: (+49) (0)7681 4378 Mail: info@becherer.de Web: www.becherer.de USt-ID-Nr.: DE 814912198 Registergericht: Freiburg HRB 701860 Geschäftsführer: Dipl.-Ing. (FH), EWE Simon H. Becherer Gerichtsstand / Sitz: Waldkirch Es gelten ausschließlich unsere allgemeinen Liefer- und Zahlungsbedingungen / Einkaufsbedingungen: www.becherer.de/AGB -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iQIcBAEBAgAGBQJaHv/EAAoJEOuDxDCJWQG+3FAP/jg6JvcXp0C3ZJoGL36A3l8R gHBe0ustUFY1Mac/RX2YeGrAjmzvb+Es5KyBF+ObmrhZiQzGnoUdadKs57lwscxd ofOOzks+FBL7TxUOffFpJEbN2ncMbPb6bJidgqZFXSRH7EP4YpqX5Wuejeho9tlc FsFZt5xWF2xOP1fctPD+Lck/j/qWLGXNmIaziNqWe7ROGL1hsxp8I7AjGyi34jMJ IJXhWN1wsKayrRZnfmRGlqnWyO1F+ZRETnRH33YSC+u4Ui1XhbEPqtUd0DB9xAgq GMTFfDj75CIaMQXf4ZUfgZxSyiN9L118Qd5QVS2ia0qxsHdD93oM9OdjBKnBGTvE F13ovtQNzdTSf7LNZ0YyILra/Uv6rJpi8RN34/CzJqTQBdQKUnKI7mAH9XYAbypo 4hyiinwdcB9/n7+g5es+XEpKJPi1xfjdgE2IpzSYqKntoV8MAo/9LhegWqM057sm OPGmh6racSzeRxpW0i0tOWp2stQdNpUN9ycz34FL+DK50/70dkysvfZHsXAQjXB6 qU4GtN5RC0mrnN8ziWSJIxpOlbn9GpPRTfbJrRRWpIFeJX5pGDHuz8qKv6B03IJM 5I45nvZSSZjge/02u1nPfp76+0IAn8Ml8dxtGmqNXZFiJA6BpI3cAbpbDC7Rt3S+ 20NTnACHXK8uY+Jlk4jc =XCwU -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 29/11/17 19:43, Simon Becherer wrote:
Hi,
how to delete in tumbleweed a app armor profile, wrongly insert in yast modul-apparmor?
i do not see something to delet a profile inside yast-appamor....
simoN
Hello Simon, I don't know how to handle apparmor with Yast but you can try the following in a terminal window: 24.5 Deleting an AppArmor Profile The following steps describe the procedure for deleting an AppArmor profile. If you are not currently logged in as root, enter su in a terminal window. Enter the root password when prompted. Go to the AppArmor directory with cd /etc/apparmor.d/. Enter ls to view all the AppArmor profiles that are currently installed. Look for the profile you created. Delete the profile with rm PROFILENAME. Restart AppArmor by entering "systemctl reload apparmor" in a terminal window. There is more information about handling apparmor from the commandline here: https://doc.opensuse.org/documentation/leap/security/html/book.security/cha.... -- On a long enough timeline the survival rate for everyone drops to zero... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi freigeist, thanks for info, did not work, is still there, but i got it this way: 1) ln -s /etc/apparmor.d/usr.bin.mywongsoftwarename /etc/apparmor.d/disable/ 2) apparmor_parser -R /etc/apparmor.d/usr.bin.mywongsoftwarename (this line gave me a warning message i do not know if id do anithing, found somewhere in google) 3) i stopped appamor in yast. 4) delete /var/lib/apparmor/cache/usr.bin.mywongsoftwarename 5) delete /etc/apparmor.d/usr.bin.mywongsoftwarename 6) starting appamor in yast. now its gone :-))) simoN Am 30.11.2017 um 00:08 schrieb Freigeist:
On 29/11/17 19:43, Simon Becherer wrote:
Hi,
how to delete in tumbleweed a app armor profile, wrongly insert in yast modul-apparmor?
i do not see something to delet a profile inside yast-appamor....
simoN
Hello Simon,
I don't know how to handle apparmor with Yast but you can try the following in a terminal window:
24.5 Deleting an AppArmor Profile
The following steps describe the procedure for deleting an AppArmor profile.
If you are not currently logged in as root, enter su in a terminal window.
Enter the root password when prompted.
Go to the AppArmor directory with cd /etc/apparmor.d/.
Enter ls to view all the AppArmor profiles that are currently installed.
Look for the profile you created.
Delete the profile with rm PROFILENAME.
Restart AppArmor by entering "systemctl reload apparmor" in a terminal window.
There is more information about handling apparmor from the commandline here:
https://doc.opensuse.org/documentation/leap/security/html/book.security/cha....
- -- B e c h e r e r GmbH Sondermaschinenbau Mauermatten Strasse 22 79183 Waldkirch Germany Tel.: (+49) (0)7681 3134 Fax: (+49) (0)7681 4378 Mail: info@becherer.de Web: www.becherer.de USt-ID-Nr.: DE 814912198 Registergericht: Freiburg HRB 701860 Geschäftsführer: Dipl.-Ing. (FH), EWE Simon H. Becherer Gerichtsstand / Sitz: Waldkirch Es gelten ausschließlich unsere allgemeinen Liefer- und Zahlungsbedingungen / Einkaufsbedingungen: www.becherer.de/AGB -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iQIcBAEBAgAGBQJaH7j+AAoJEOuDxDCJWQG+wyoQAKivyyelO3PnGxpbvcLui0k2 sxpnXA5cNhSXLIyFYSUZKOiu2vYBx8aQxBIqL5qnJFFMwq0v+rewDvKKAjdmnPc9 ApBG5ihW3D6uIH+EUZ7qkw/Xq/p1la/bJcxTHyrMwsSdFp6yybSiuecOxqkTw1Jt GjX+nGXMFuBWmVmZW7HVlb0F5p5gR/id07mBo3uM64xlmjcu25DeBSu6daEs3dwI iuMpk4EJuFIiMNAOfkm7jxivkYp45R/Megflb9IJ/2L+Hv0PIpxc4cMbLN9V2XjX GsWYubR0QT+tW2pJqKx2M0PAcmVHNYugU88RuOfXtu9SG8aN8UnbqJ3j7jxmVnyf js5Iuf8DFLN7ITW61ZGFemGxlUdqebCsnmJGheS50c4bLYLIgFdWgpSQ1fvbxvYP GYvcp3QkKmbH3zEu2dn7GjynO6xzaBp3RvIVyUMTbUknM5bDMPt8ybnQlpk6NfYm N5WXy41cRbNGD3cMHvHALsxsZB9qgDo36WF1paGz1BK0mtkk+awdTF29hS5kXEIg 97YKp0heKO6TDkMXXk50SXA1lVcOyFKMsZ7hQ6z60XMpbW1fuNgCEHZTRVXsl+VA 8RjCSol93BEGPYyt/fASS7naNfzTB1v3/4fkRdlHIBgoHkz+XTeWkTMRpKT0WvG0 a4tNwRStDUF6AbwB5a2i =Npqi -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hello, Am Donnerstag, 30. November 2017, 08:53:34 CET schrieb Simon Becherer:
thanks for info, did not work, is still there, but i got it this way:
I'm afraid the documentation is slightly outdated in this detail. In the past, "rcapparmor reload" indeed unloaded profiles that no longer in /etc/apparmor.d/. However, this also caused unloading of automatically generated LXD profiles, which resulted on removing the AppArmor confinement from those processes. (See https://bugzilla.opensuse.org/show_bug.cgi?id=1029696 for details.) Therefore the behaviour of "rcapparmor reload" was changed - it no longer unloads "unknown" profiles (where "unknown" means profiles that don't exist in /etc/apparmor.d) To unload all "unknown" profiles (including automatically generated LXD profiles!) you can use the new aa-remove-unknown tool. aa-remove-unknown -n does a "dry run" and lists the profiles that would be unloaded, and calling aa-remove-unknown without parameters will really unload "unknown" profiles.
1) ln -s /etc/apparmor.d/usr.bin.mywongsoftwarename /etc/apparmor.d/disable/ 2) apparmor_parser -R /etc/apparmor.d/usr.bin.mywongsoftwarename (this line gave me a warning message i do not know if id do anithing, found somewhere in google) 3) i stopped appamor in yast. 4) delete /var/lib/apparmor/cache/usr.bin.mywongsoftwarename 5) delete /etc/apparmor.d/usr.bin.mywongsoftwarename 6) starting appamor in yast.
You did too much here, and possibly now have applications running unconfined. Stopping AppArmor will remove confinement from running processes, and starting AppArmor can't (re)confine already running processes. Check the aa-status output, and restart all processes that are listed as "unconfined but have a profile defined" to confine them again. If you really want to unload and delete a single profile, the needed steps are: 1) apparmor_parser -R /etc/apparmor.d/whatever 2) rm /etc/apparmor.d/whatever 3) rm /var/lib/apparmor/cache/whatever Step 3 "only" frees a little bit of disk space - if you don't delete the cache file, it won't hurt ;-) Another option is to use aa-disable /etc/apparmor.d/whatever This will unload the profile and create a symlink in /etc/apparmor.d/disable/ BTW: I pasted most of this mail into a documentation bugreport: https://bugzilla.opensuse.org/show_bug.cgi?id=1070674 Regards, Christian Boltz -- Ein Computer tut ja das, was man ihm "sagt", und nicht das, was man will. Ergo muß man wissen, wie man ihm sagt, was man will. [Stefan G. Weichinger in postfixbuch-users] -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thank you christian, i never was thinking so much about apparmor... normally it's running in background and that's it. simoN Am 01.12.2017 um 00:36 schrieb Christian Boltz:
Hello,
Am Donnerstag, 30. November 2017, 08:53:34 CET schrieb Simon Becherer:
thanks for info, did not work, is still there, but i got it this way: I'm afraid the documentation is slightly outdated in this detail.
In the past, "rcapparmor reload" indeed unloaded profiles that no longer in /etc/apparmor.d/. However, this also caused unloading of automatically generated LXD profiles, which resulted on removing the AppArmor confinement from those processes. (See https://bugzilla.opensuse.org/show_bug.cgi?id=1029696 for details.)
Therefore the behaviour of "rcapparmor reload" was changed - it no longer unloads "unknown" profiles (where "unknown" means profiles that don't exist in /etc/apparmor.d)
To unload all "unknown" profiles (including automatically generated LXD profiles!) you can use the new aa-remove-unknown tool.
aa-remove-unknown -n does a "dry run" and lists the profiles that would be unloaded, and calling aa-remove-unknown without parameters will really unload "unknown" profiles.
1) ln -s /etc/apparmor.d/usr.bin.mywongsoftwarename /etc/apparmor.d/disable/ 2) apparmor_parser -R /etc/apparmor.d/usr.bin.mywongsoftwarename (this line gave me a warning message i do not know if id do anithing, found somewhere in google) 3) i stopped appamor in yast. 4) delete /var/lib/apparmor/cache/usr.bin.mywongsoftwarename 5) delete /etc/apparmor.d/usr.bin.mywongsoftwarename 6) starting appamor in yast. You did too much here, and possibly now have applications running unconfined. Stopping AppArmor will remove confinement from running processes, and starting AppArmor can't (re)confine already running processes. Check the aa-status output, and restart all processes that are listed as "unconfined but have a profile defined" to confine them again.
If you really want to unload and delete a single profile, the needed steps are:
1) apparmor_parser -R /etc/apparmor.d/whatever 2) rm /etc/apparmor.d/whatever 3) rm /var/lib/apparmor/cache/whatever
Step 3 "only" frees a little bit of disk space - if you don't delete the cache file, it won't hurt ;-)
Another option is to use aa-disable /etc/apparmor.d/whatever This will unload the profile and create a symlink in /etc/apparmor.d/disable/
BTW: I pasted most of this mail into a documentation bugreport: https://bugzilla.opensuse.org/show_bug.cgi?id=1070674
Regards,
Christian Boltz
- -- B e c h e r e r GmbH Sondermaschinenbau Mauermatten Strasse 22 79183 Waldkirch Germany Tel.: (+49) (0)7681 3134 Fax: (+49) (0)7681 4378 Mail: info@becherer.de Web: www.becherer.de USt-ID-Nr.: DE 814912198 Registergericht: Freiburg HRB 701860 Geschäftsführer: Dipl.-Ing. (FH), EWE Simon H. Becherer Gerichtsstand / Sitz: Waldkirch Es gelten ausschließlich unsere allgemeinen Liefer- und Zahlungsbedingungen / Einkaufsbedingungen: www.becherer.de/AGB -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iQIcBAEBAgAGBQJaIV/SAAoJEOuDxDCJWQG+n2IP/1pG+d0+4Vdhkflzfqdm5to8 QjWusu7LcZrIxttxB5v2wQwuA3L167pFBJe8xslNn6VNZTexoIPIcOnK8zkdAcC6 ZjiGfIMHec3tHDFAA+29ayQ9h7krc6VkdNS0gGZc9bQa/UZvlxwDmYN1YOEDGmFe A0G671WKJocIYy6WawDroFcs9QRMGSH3TGLH05rOYotO8Cc0ECkZSeq2yZIphpKB e7LxDgf5alvZZfRivcV9+r16YtcbiO8hyfEs3OC9mw2ABq2CH8N4pulTKsgxmskq WGb0RuuDZrI1yqDGUNP02Y23n97K+lYcFLb/U6mYKj5NF4AJaUTgVk3iOr9zWM33 oWBXaYvfjPOcOp0qLRfUZ+5V9GRLF6Z2N7vcvwtkX9CU+lbtgKpm9zy9pjzmdSCF AOspwvMRKhSl3ObK2UFaxHR3BOTwm0SxK/kxLJBUaiJM5Hczgm4XJ1VgGnGnZSx7 l5yO2Ca4i3FIB2RUAVKSZOJq7VZMf7seveX289M6vQ+z3CludX2BGaZAs5H/AyDh 8xfSITEhK4uEbBbaK9kxDbcEaWaeHqavzhw//uvTg8LknFyrlvxRa7TADi8vp+7V QqaNP+yxGWHwAEAXwV9lw6qwU+niD+poOVTiYxtl5oLEdPWYVpV/UsR2zuKR4ln9 LrtKSlygSklEqSJib//n =W1P5 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (3)
-
Christian Boltz -
Freigeist -
Simon Becherer