NVMe-TCP on SUSE/openSUSE - AppArmor Configuration

Linux

Audience
Public
Product
FlashBlade
FlashArray
Technology Integrations
Linux
Source Type
Documentation

Understanding AppArmor on SUSE

AppArmor status:

  • Enabled by default on SLES 15+

  • Path-based mandatory access control

  • Simpler than SELinux

  • Integrated with YaST

Check AppArmor status:

sudo aa-status

# Check if AppArmor is enabled
sudo systemctl status apparmor

AppArmor Profiles for NVMe-TCP

Check for denials:

# View AppArmor messages
sudo dmesg | grep -i apparmor
sudo journalctl | grep -i apparmor

# Check audit log
sudo grep -i apparmor /var/log/audit/audit.log

Using YaST for AppArmor:

# Launch YaST AppArmor module
sudo yast2 apparmor

# Or command-line tools
sudo aa-status

AppArmor and NVMe-TCP:

Tip:

NVMe-TCP uses native NVMe multipathing, NOT dm-multipath (multipathd). There is no multipathd service for NVMe-TCP, so you don't need to create AppArmor profiles for it.

If you have custom applications accessing NVMe devices:

# Install AppArmor utilities
sudo zypper install -y apparmor-utils

# Check if any AppArmor denials related to NVMe
sudo dmesg | grep -i apparmor | grep nvme

# If you have custom scripts accessing NVMe devices,
# you may need to add these permissions to their profiles:
# /dev/nvme* rw,
# /sys/class/nvme/** r,
# /sys/devices/**/nvme*/** r,