To achieve RBAC apparmor uses a combination of
security modules. The pam_cap.so module is used to raise a users
privileges while the pam_apparmor.so module is used to further
restrict the users processes from what would be possible with the
This document only covers the suggested method of achieving RBAC
in the current version of AppArmor (2.5), documentation on earlier
versions is linked below.
Setting up pam_cap.so
This is just a quick overview of how to set up the pam_cap.so module,
for a more in depth explanation see following links
from a terminal type - sudo apt-get install libcap2 libcap2-bin
synaptics - search for libcap2 and select libcap2, libcap2-bin for installation and click apply
configuring PAM to use pam_cap.so
Editing the pam_cap.so configuration file
Setting up pam_apparmor.so
Use pam_apparmor to assign profiles and or profile namespaces to a
user or process.
from a terminal type - sudo apt-get install libpam-apparmor
configuring PAM to use pam_apparmor.so
Editing the pam_apparmor.so configuration file
RBAC Policy choices
AppArmor provides three alternative ways that RBAC policy can be
Instead of breaking up permission per application (standard AppArmor
model), all permissions are encapsulated by a single profile that
confines all applications run by the user. This results
ix transitions Any application that needs
Profile Stacking (AppArmor 2.6)
AppArmor 2.6 opens up another possible method of applying RBAC policy,
by allowing for composition of profiles through profile stacking. This
allow for the application of the regular profile set and a user
confining profile without having to create a custom profile tree or
custom profile namespace.
To do this a user profile is created that encompasses all the
permissions the user should have, and then a new profile layer is
created that is pointed at the other policy that should be applied
(eg. the standard set of profiles). Now any tasks run by the confined
user will have a combined policy applied.
user profile considerations
leaving / collapsing the stack??
Outer single user profile + layer of regular profiles or new namespace
AppArmor has evolved over time, and with each new version features have
been added that affect how RBAC style confinement can be achieved in
AppArmor. In general each version of AppArmor builds on the previous
version so that the techniques used in previous version can still be
used. However each newer version either adds features that refine,
and improve on previous techniques, or introduces new techniques
making RBAC style policy easier and more flexible.
1.x - AppArmor versions prior to 2.0 exist only in the linux distro Immunix and are not covered here.