AppArmor vs SELinux:
- AppArmor: Path-based mandatory access control (Ubuntu default)
- SELinux: Label-based mandatory access control (RHEL default)
Check AppArmor status:
sudo aa-status
# Check if AppArmor is enabled
sudo systemctl status apparmor
Check iSCSI-related profiles:
# List loaded profiles
sudo aa-status | grep -i iscsi
# Check for denials
sudo dmesg | grep -i apparmor | grep -i iscsi
Create AppArmor profile for iSCSI (if needed):
# Most iSCSI tools run unconfined by default
# If you need to create a profile:
sudo tee /etc/apparmor.d/usr.sbin.iscsid > /dev/null <<'EOF'
#include <tunables/global>
/usr/sbin/iscsid {
#include <abstractions/base>
#include <abstractions/nameservice>
capability net_admin,
capability sys_admin,
capability dac_override,
/etc/iscsi/** r,
/var/lib/iscsi/** rw,
/run/lock/iscsi/** rw,
/sys/class/iscsi_host/** r,
/sys/devices/** r,
/usr/sbin/iscsid mr,
/proc/*/net/if_inet6 r,
/proc/sys/net/ipv4/conf/*/rp_filter r,
}
EOF
# Load profile
sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.iscsid
-
Monitor for denials:
sudo dmesg | grep -i apparmor sudo journalctl | grep -i apparmor -
Use complain mode for testing:
# Set profile to complain mode sudo aa-complain /usr/sbin/iscsid # Set back to enforce mode sudo aa-enforce /usr/sbin/iscsid -
Keep AppArmor enabled in production
- Don't disable AppArmor
- Create proper profiles instead