iSCSI on Debian/Ubuntu - AppArmor Configuration

Linux

Audience
Public
Product
FlashBlade
FlashArray
Technology Integrations
Linux
Source Type
Documentation

AppArmor vs SELinux:

  • AppArmor: Path-based mandatory access control (Ubuntu default)
  • SELinux: Label-based mandatory access control (RHEL default)

Check AppArmor status:

sudo aa-status

# Check if AppArmor is enabled
sudo systemctl status apparmor

Check iSCSI-related profiles:

# List loaded profiles
sudo aa-status | grep -i iscsi

# Check for denials
sudo dmesg | grep -i apparmor | grep -i iscsi

Create AppArmor profile for iSCSI (if needed):

# Most iSCSI tools run unconfined by default
# If you need to create a profile:

sudo tee /etc/apparmor.d/usr.sbin.iscsid > /dev/null <<'EOF'
#include <tunables/global>

/usr/sbin/iscsid {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  capability net_admin,
  capability sys_admin,
  capability dac_override,

  /etc/iscsi/** r,
  /var/lib/iscsi/** rw,
  /run/lock/iscsi/** rw,
  /sys/class/iscsi_host/** r,
  /sys/devices/** r,

  /usr/sbin/iscsid mr,
  /proc/*/net/if_inet6 r,
  /proc/sys/net/ipv4/conf/*/rp_filter r,
}
EOF

# Load profile
sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.iscsid
  1. Monitor for denials:
    sudo dmesg | grep -i apparmor sudo journalctl | grep -i apparmor
  2. Use complain mode for testing:
    # Set profile to complain mode sudo aa-complain /usr/sbin/iscsid
    # Set back to enforce mode sudo aa-enforce /usr/sbin/iscsid
  3. Keep AppArmor enabled in production

    • Don't disable AppArmor
    • Create proper profiles instead