Re: How to Configure Apparmor?
You weren't able to find any information on apparmor?
Hopefully this can get you started.
There are several commands you should get familiar with. (you will need sudo for these commands)
There are other commands, but I don't use them.
start - starts apparmor.
stop - stops apparmor.
status - tells you how many profiles you have and what mode they are in.
reload - reloads the profiles.
aa-complain - puts the profile into complain mode. If something doesn't work, put it in this mode. Complain mode is like learning mode.
aa-enforce - puts the profile into enforce mode. After you are done with your settings, put the profile in this mode.
autodep - creates a profile and puts it into complain mode.
logprofile - this is where you set the settings like inherit, glob, allow, deny. This is the most important part! It defines what your program can do and can't do.
If you use the status command, it will show you that you have one profile called /usr/sbin/cupsd in enforce mode.
What do you want to do first?
You need to make a profile for the application you want.
ex: autodep firefox
(Once firefox is created, the profile will be automatically put into complain mode. You can do a status command to check.)
Open firefox and start using firefox normally.
Now type in sudo logprofile
This is where it will start asking you questions. Pay attention to what it asks you.
In the end, it will ask you to save.
Your profile is still in complain mode. You need to test out your profile by putting it into enforce mode.
Open up your application and try to use it. If you are able to open it up and use it normally, then its good. (You can still refine your settings - settings are stored in /etc/apparmor.d/)
If it doesn't open or the application doesn't run well, you have 2 options:
1) Delete the profile and restart over. (I had to do this a few times)
2) Put the profile back into complain mode. Open up application and use it normally again. Close application. Do sudo logprofile. Put it back into enforce mode. Rinse and repeat.
Fellow apparmor users, please correct me if I'm wrong.
Ubuntu 12.04. 64bit. Desktop version. Gnome 3.4.1 O͜͡.O~