28 Confining Users with pam_apparmor #
An AppArmor profile applies to an executable program; if a portion of the
program needs different access permissions than other portions need, the
program can change hats via change_hat to a different role, also known as
a subprofile. The pam_apparmor PAM module allows
applications to confine authenticated users into subprofiles based on
group names, user names, or a default profile. To accomplish this,
pam_apparmor needs to be registered as a PAM
session module.
The package pam_apparmor is not installed by
default, you can install it using YaST or zypper.
Details about how to set up and configure
pam_apparmor can be found in
/usr/share/doc/packages/pam_apparmor/README after the
package has been installed. For details on PAM, refer to
Chapter 2, Authentication with PAM.