pam_apparmor
AppArmor ships with a set of profiles enabled by default. These are created
by the AppArmor developers, and are stored in
/etc/apparmor.d
. In addition to these profiles,
openSUSE Leap ships profiles for individual applications together with
the relevant application. These profiles are not enabled by default, and
reside under another directory than the standard AppArmor profiles,
/etc/apparmor/profiles/extras
.
The AppArmor tools (YaST, aa-genprof
and
aa-logprof
) support the use of a local repository.
Whenever you start to create a new profile from scratch, and there
already is an inactive profile in your local repository, you are asked
whether you want to use the existing inactive one from
/etc/apparmor/profiles/extras
and whether you want
to base your efforts on it. If you decide to use this profile, it gets
copied over to the directory of profiles enabled by default
(/etc/apparmor.d
) and loaded whenever AppArmor is
started. Any further adjustments will be done to the active profile under
/etc/apparmor.d
.