Managing Permissions for AppArmor Files in the /sys File System
This document (000021785) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 15 all Service Packs
SUSE Linux Enterprise Server 12 all Service Packs
Situation
After changing the permissions of the following files to 664, they revert to 666 upon system reboot:
-
/sys/kernel/security/apparmor/.remove -
/sys/kernel/security/apparmor/.replace -
/sys/kernel/security/apparmor/.load -
/sys/kernel/security/apparmor/.access
Resolution
The affected files are managed by AppArmor. Their permissions are set to 666 upon creation, making permanent modifications challenging. This behavior is hard-coded in the kernel source, meaning changes require kernel source modifications, however, modifying the kernel source is not supported by SUSE.
Cause
The /sys file system is a virtual or pseudo file system, which differs from the general Linux file system. Permissions visible through the ls command are not necessarily enforced. The kernel performs additional permission checks when files are accessed or modified, for example, even if permissions appear to be 666, certain operations may still fail due to kernel-enforced restrictions.
Additional Information
Reference: Linux Kernel Source Code
https://github.com/torvalds/linux/blob/master/security/apparmor/apparmorfs.c#L2670
https://github.com/torvalds/linux/blob/master/security/apparmor/apparmorfs.c#L489
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000021785
- Creation Date: 11-Apr-2025
- Modified Date:25-Apr-2025
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
