Skip to content

Define on every program what it’s allows to access

Profiles

etc There are located in /etc/apparmor.d

  • U can create profile for each binary
    • It’s the path to it ex usr.bin.man
    • replace / with .

Overwriting Profile

Create the profile file etc/apparmmor.d/local

Bug!

Can’t overide deny with the local allow u have to change the profile then

Modes

aa-status
  • Enforced It works and stops programs
  • Complain Only logs
  • Disabled

Create profile based on logs

sudo aa-logprof

Example Pasted_image_20240507121744.png

Docs

SELinux