deleting appamor-profile in yast?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

deleting appamor-profile in yast?

Simon Becherer
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

how to delete in tumbleweed a app armor profile, wrongly insert in
yast modul-apparmor?

i do not see something to delet a profile inside yast-appamor....

simoN




- --
B e c h e r e r GmbH
Sondermaschinenbau
Mauermatten Strasse 22
79183 Waldkirch
Germany

Tel.: (+49) (0)7681 3134
Fax:  (+49) (0)7681 4378
Mail: [hidden email]
Web:  www.becherer.de

USt-ID-Nr.: DE 814912198
Registergericht: Freiburg HRB 701860
Geschäftsführer:
Dipl.-Ing. (FH), EWE   Simon H. Becherer
Gerichtsstand / Sitz: Waldkirch

Es gelten ausschließlich unsere allgemeinen Liefer-
und Zahlungsbedingungen / Einkaufsbedingungen:
www.becherer.de/AGB

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iQIcBAEBAgAGBQJaHv/EAAoJEOuDxDCJWQG+3FAP/jg6JvcXp0C3ZJoGL36A3l8R
gHBe0ustUFY1Mac/RX2YeGrAjmzvb+Es5KyBF+ObmrhZiQzGnoUdadKs57lwscxd
ofOOzks+FBL7TxUOffFpJEbN2ncMbPb6bJidgqZFXSRH7EP4YpqX5Wuejeho9tlc
FsFZt5xWF2xOP1fctPD+Lck/j/qWLGXNmIaziNqWe7ROGL1hsxp8I7AjGyi34jMJ
IJXhWN1wsKayrRZnfmRGlqnWyO1F+ZRETnRH33YSC+u4Ui1XhbEPqtUd0DB9xAgq
GMTFfDj75CIaMQXf4ZUfgZxSyiN9L118Qd5QVS2ia0qxsHdD93oM9OdjBKnBGTvE
F13ovtQNzdTSf7LNZ0YyILra/Uv6rJpi8RN34/CzJqTQBdQKUnKI7mAH9XYAbypo
4hyiinwdcB9/n7+g5es+XEpKJPi1xfjdgE2IpzSYqKntoV8MAo/9LhegWqM057sm
OPGmh6racSzeRxpW0i0tOWp2stQdNpUN9ycz34FL+DK50/70dkysvfZHsXAQjXB6
qU4GtN5RC0mrnN8ziWSJIxpOlbn9GpPRTfbJrRRWpIFeJX5pGDHuz8qKv6B03IJM
5I45nvZSSZjge/02u1nPfp76+0IAn8Ml8dxtGmqNXZFiJA6BpI3cAbpbDC7Rt3S+
20NTnACHXK8uY+Jlk4jc
=XCwU
-----END PGP SIGNATURE-----

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: deleting appamor-profile in yast?

Freigeist
On 29/11/17 19:43, Simon Becherer wrote:

>
> Hi,
>
> how to delete in tumbleweed a app armor profile, wrongly insert in
> yast modul-apparmor?
>
> i do not see something to delet a profile inside yast-appamor....
>
> simoN
>

Hello Simon,

I don't know how to handle apparmor with Yast but you can try the
following in a terminal window:

24.5 Deleting an AppArmor Profile

The following steps describe the procedure for deleting an AppArmor profile.

If you are not currently logged in as root, enter su in a terminal window.

Enter the root password when prompted.

Go to the AppArmor directory with cd /etc/apparmor.d/.

Enter ls to view all the AppArmor profiles that are currently installed.

Look for the profile you created.

Delete the profile with rm PROFILENAME.

Restart AppArmor by entering "systemctl reload apparmor" in a terminal
window.

There is more information about handling apparmor from the commandline here:

https://doc.opensuse.org/documentation/leap/security/html/book.security/cha.apparmor.commandline.html#sec.apparmor.commandline.del


--
On a long enough timeline the survival rate for everyone drops to zero...

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: deleting appamor-profile in yast?

Simon Becherer
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi freigeist,

thanks for info, did not work, is still there, but i got it this way:


1) ln -s /etc/apparmor.d/usr.bin.mywongsoftwarename /etc/apparmor.d/disable/
2) apparmor_parser -R /etc/apparmor.d/usr.bin.mywongsoftwarename
   (this line gave me a warning message i do not know if id do anithing, found somewhere in google)
3) i stopped appamor in yast.
4) delete /var/lib/apparmor/cache/usr.bin.mywongsoftwarename
5) delete /etc/apparmor.d/usr.bin.mywongsoftwarename
6) starting appamor in yast.

now its gone :-)))


simoN





Am 30.11.2017 um 00:08 schrieb Freigeist:

> On 29/11/17 19:43, Simon Becherer wrote:
>>
>> Hi,
>>
>> how to delete in tumbleweed a app armor profile, wrongly insert in yast modul-apparmor?
>>
>> i do not see something to delet a profile inside yast-appamor....
>>
>> simoN
>>
>
> Hello Simon,
>
> I don't know how to handle apparmor with Yast but you can try the following in a terminal window:
>
> 24.5 Deleting an AppArmor Profile
>
> The following steps describe the procedure for deleting an AppArmor profile.
>
> If you are not currently logged in as root, enter su in a terminal window.
>
> Enter the root password when prompted.
>
> Go to the AppArmor directory with cd /etc/apparmor.d/.
>
> Enter ls to view all the AppArmor profiles that are currently installed.
>
> Look for the profile you created.
>
> Delete the profile with rm PROFILENAME.
>
> Restart AppArmor by entering "systemctl reload apparmor" in a terminal window.
>
> There is more information about handling apparmor from the commandline here:
>
> https://doc.opensuse.org/documentation/leap/security/html/book.security/cha.apparmor.commandline.html#sec.apparmor.commandline.del
>
>

- --
B e c h e r e r GmbH
Sondermaschinenbau
Mauermatten Strasse 22
79183 Waldkirch
Germany

Tel.: (+49) (0)7681 3134
Fax:  (+49) (0)7681 4378
Mail: [hidden email]
Web:  www.becherer.de

USt-ID-Nr.: DE 814912198
Registergericht: Freiburg HRB 701860
Geschäftsführer:
Dipl.-Ing. (FH), EWE   Simon H. Becherer
Gerichtsstand / Sitz: Waldkirch

Es gelten ausschließlich unsere allgemeinen Liefer-
und Zahlungsbedingungen / Einkaufsbedingungen:
www.becherer.de/AGB

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iQIcBAEBAgAGBQJaH7j+AAoJEOuDxDCJWQG+wyoQAKivyyelO3PnGxpbvcLui0k2
sxpnXA5cNhSXLIyFYSUZKOiu2vYBx8aQxBIqL5qnJFFMwq0v+rewDvKKAjdmnPc9
ApBG5ihW3D6uIH+EUZ7qkw/Xq/p1la/bJcxTHyrMwsSdFp6yybSiuecOxqkTw1Jt
GjX+nGXMFuBWmVmZW7HVlb0F5p5gR/id07mBo3uM64xlmjcu25DeBSu6daEs3dwI
iuMpk4EJuFIiMNAOfkm7jxivkYp45R/Megflb9IJ/2L+Hv0PIpxc4cMbLN9V2XjX
GsWYubR0QT+tW2pJqKx2M0PAcmVHNYugU88RuOfXtu9SG8aN8UnbqJ3j7jxmVnyf
js5Iuf8DFLN7ITW61ZGFemGxlUdqebCsnmJGheS50c4bLYLIgFdWgpSQ1fvbxvYP
GYvcp3QkKmbH3zEu2dn7GjynO6xzaBp3RvIVyUMTbUknM5bDMPt8ybnQlpk6NfYm
N5WXy41cRbNGD3cMHvHALsxsZB9qgDo36WF1paGz1BK0mtkk+awdTF29hS5kXEIg
97YKp0heKO6TDkMXXk50SXA1lVcOyFKMsZ7hQ6z60XMpbW1fuNgCEHZTRVXsl+VA
8RjCSol93BEGPYyt/fASS7naNfzTB1v3/4fkRdlHIBgoHkz+XTeWkTMRpKT0WvG0
a4tNwRStDUF6AbwB5a2i
=Npqi
-----END PGP SIGNATURE-----

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: deleting appamor-profile in yast?

Christian Boltz-5
Hello,

Am Donnerstag, 30. November 2017, 08:53:34 CET schrieb Simon Becherer:
> thanks for info, did not work, is still there, but i got it this way:

I'm afraid the documentation is slightly outdated in this detail.

In the past, "rcapparmor reload" indeed unloaded profiles that no longer
in /etc/apparmor.d/. However, this also caused unloading of
automatically generated LXD profiles, which resulted on removing the
AppArmor confinement from those processes. (See
https://bugzilla.opensuse.org/show_bug.cgi?id=1029696 for details.)

Therefore the behaviour of "rcapparmor reload" was changed - it no
longer unloads "unknown" profiles (where "unknown" means profiles that
don't exist in /etc/apparmor.d)

To unload all "unknown" profiles (including automatically generated LXD
profiles!) you can use the new   aa-remove-unknown   tool.

aa-remove-unknown -n   does a "dry run" and lists the profiles that
would be unloaded, and calling aa-remove-unknown without parameters will
really unload "unknown" profiles.

> 1) ln -s /etc/apparmor.d/usr.bin.mywongsoftwarename
> /etc/apparmor.d/disable/
> 2) apparmor_parser -R /etc/apparmor.d/usr.bin.mywongsoftwarename
> (this line gave me a warning message i do not know if id do anithing,
> found somewhere in google)
> 3) i stopped appamor in yast.
> 4) delete /var/lib/apparmor/cache/usr.bin.mywongsoftwarename
> 5) delete /etc/apparmor.d/usr.bin.mywongsoftwarename
> 6) starting appamor in yast.

You did too much here, and possibly now have applications running
unconfined. Stopping AppArmor will remove confinement from running
processes, and starting AppArmor can't (re)confine already running
processes. Check the   aa-status   output, and restart all processes
that are listed as "unconfined but have a profile defined" to  confine
them again.


If you really want to unload and delete a single profile, the needed
steps are:

1) apparmor_parser -R /etc/apparmor.d/whatever
2) rm /etc/apparmor.d/whatever
3) rm /var/lib/apparmor/cache/whatever

Step 3 "only" frees a little bit of disk space - if you don't delete the
cache file, it won't hurt ;-)

Another option is to use   aa-disable /etc/apparmor.d/whatever
This will unload the profile and create a symlink in
/etc/apparmor.d/disable/


BTW: I pasted most of this mail into a documentation bugreport:
https://bugzilla.opensuse.org/show_bug.cgi?id=1070674


Regards,

Christian Boltz
--
Ein Computer tut ja das, was man ihm "sagt", und nicht das, was
man will. Ergo muß man wissen, wie man ihm sagt, was man will.
[Stefan G. Weichinger in postfixbuch-users]


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: deleting appamor-profile in yast?

Simon Becherer
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thank you christian,

i never was thinking so much about apparmor... normally it's running
in background and that's it.

simoN


Am 01.12.2017 um 00:36 schrieb Christian Boltz:

> Hello,
>
> Am Donnerstag, 30. November 2017, 08:53:34 CET schrieb Simon Becherer:
>>> thanks for info, did not work, is still there, but i got it this way:
> I'm afraid the documentation is slightly outdated in this detail.
>
> In the past, "rcapparmor reload" indeed unloaded profiles that no longer in /etc/apparmor.d/. However, this also caused unloading of automatically generated LXD profiles, which resulted on removing the AppArmor
> confinement from those processes. (See https://bugzilla.opensuse.org/show_bug.cgi?id=1029696 for details.)
>
> Therefore the behaviour of "rcapparmor reload" was changed - it no longer unloads "unknown" profiles (where "unknown" means profiles that don't exist in /etc/apparmor.d)
>
> To unload all "unknown" profiles (including automatically generated LXD profiles!) you can use the new   aa-remove-unknown   tool.
>
> aa-remove-unknown -n   does a "dry run" and lists the profiles that would be unloaded, and calling aa-remove-unknown without parameters will really unload "unknown" profiles.
>
>>> 1) ln -s /etc/apparmor.d/usr.bin.mywongsoftwarename /etc/apparmor.d/disable/ 2) apparmor_parser -R /etc/apparmor.d/usr.bin.mywongsoftwarename (this line gave me a warning message i do not know if id do
>>> anithing, found somewhere in google) 3) i stopped appamor in yast. 4) delete /var/lib/apparmor/cache/usr.bin.mywongsoftwarename 5) delete /etc/apparmor.d/usr.bin.mywongsoftwarename 6) starting appamor in
>>> yast.
> You did too much here, and possibly now have applications running unconfined. Stopping AppArmor will remove confinement from running processes, and starting AppArmor can't (re)confine already running processes.
> Check the   aa-status   output, and restart all processes that are listed as "unconfined but have a profile defined" to  confine them again.
>
>
> If you really want to unload and delete a single profile, the needed steps are:
>
> 1) apparmor_parser -R /etc/apparmor.d/whatever 2) rm /etc/apparmor.d/whatever 3) rm /var/lib/apparmor/cache/whatever
>
> Step 3 "only" frees a little bit of disk space - if you don't delete the cache file, it won't hurt ;-)
>
> Another option is to use   aa-disable /etc/apparmor.d/whatever This will unload the profile and create a symlink in /etc/apparmor.d/disable/
>
>
> BTW: I pasted most of this mail into a documentation bugreport: https://bugzilla.opensuse.org/show_bug.cgi?id=1070674
>
>
> Regards,
>
> Christian Boltz

- --
B e c h e r e r GmbH
Sondermaschinenbau
Mauermatten Strasse 22
79183 Waldkirch
Germany

Tel.: (+49) (0)7681 3134
Fax:  (+49) (0)7681 4378
Mail: [hidden email]
Web:  www.becherer.de

USt-ID-Nr.: DE 814912198
Registergericht: Freiburg HRB 701860
Geschäftsführer:
Dipl.-Ing. (FH), EWE   Simon H. Becherer
Gerichtsstand / Sitz: Waldkirch

Es gelten ausschließlich unsere allgemeinen Liefer-
und Zahlungsbedingungen / Einkaufsbedingungen:
www.becherer.de/AGB

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iQIcBAEBAgAGBQJaIV/SAAoJEOuDxDCJWQG+n2IP/1pG+d0+4Vdhkflzfqdm5to8
QjWusu7LcZrIxttxB5v2wQwuA3L167pFBJe8xslNn6VNZTexoIPIcOnK8zkdAcC6
ZjiGfIMHec3tHDFAA+29ayQ9h7krc6VkdNS0gGZc9bQa/UZvlxwDmYN1YOEDGmFe
A0G671WKJocIYy6WawDroFcs9QRMGSH3TGLH05rOYotO8Cc0ECkZSeq2yZIphpKB
e7LxDgf5alvZZfRivcV9+r16YtcbiO8hyfEs3OC9mw2ABq2CH8N4pulTKsgxmskq
WGb0RuuDZrI1yqDGUNP02Y23n97K+lYcFLb/U6mYKj5NF4AJaUTgVk3iOr9zWM33
oWBXaYvfjPOcOp0qLRfUZ+5V9GRLF6Z2N7vcvwtkX9CU+lbtgKpm9zy9pjzmdSCF
AOspwvMRKhSl3ObK2UFaxHR3BOTwm0SxK/kxLJBUaiJM5Hczgm4XJ1VgGnGnZSx7
l5yO2Ca4i3FIB2RUAVKSZOJq7VZMf7seveX289M6vQ+z3CludX2BGaZAs5H/AyDh
8xfSITEhK4uEbBbaK9kxDbcEaWaeHqavzhw//uvTg8LknFyrlvxRa7TADi8vp+7V
QqaNP+yxGWHwAEAXwV9lw6qwU+niD+poOVTiYxtl5oLEdPWYVpV/UsR2zuKR4ln9
LrtKSlygSklEqSJib//n
=W1P5
-----END PGP SIGNATURE-----

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]