Understanding AppArmor on SUSE
AppArmor status:
-
Enabled by default on SLES 15+
-
Path-based mandatory access control
-
Simpler than SELinux
-
Integrated with YaST
Check AppArmor status:
sudo aa-status
# Check if AppArmor is enabled
sudo systemctl status apparmor
AppArmor Profiles for NVMe-TCP
Check for denials:
# View AppArmor messages
sudo dmesg | grep -i apparmor
sudo journalctl | grep -i apparmor
# Check audit log
sudo grep -i apparmor /var/log/audit/audit.log
Using YaST for AppArmor:
# Launch YaST AppArmor module
sudo yast2 apparmor
# Or command-line tools
sudo aa-status
AppArmor and NVMe-TCP:
Tip:
NVMe-TCP uses native NVMe multipathing, NOT dm-multipath (multipathd). There is no multipathd service for NVMe-TCP, so you don't need to create AppArmor profiles for it.
If you have custom applications accessing NVMe devices:
# Install AppArmor utilities
sudo zypper install -y apparmor-utils
# Check if any AppArmor denials related to NVMe
sudo dmesg | grep -i apparmor | grep nvme
# If you have custom scripts accessing NVMe devices,
# you may need to add these permissions to their profiles:
# /dev/nvme* rw,
# /sys/class/nvme/** r,
# /sys/devices/**/nvme*/** r,