diff --git a/utils/aa-audit.pod b/utils/aa-audit.pod index 9898782fc..8b47f306e 100644 --- a/utils/aa-audit.pod +++ b/utils/aa-audit.pod @@ -6,7 +6,7 @@ aa-audit - set an AppArmor security profile to I mode. =head1 SYNOPSIS -BexecutableE> [IexecutableE> ...] [I<-d /path/to/profiles>] [I<-r>]> +BexecutableE> [IexecutableE> ...] [I<-d /path/to/profiles>] [I<--no-reload>] [I<-r>]> =head1 OPTIONS @@ -15,9 +15,12 @@ B<-d --dir /path/to/profiles> Specifies where to look for the AppArmor security profile set. Defaults to /etc/apparmor.d. +B<--no-reload> + Do not reload the profile after modifying it. + B<-r --remove> - Removes the audit mode for the profile. + Removes the audit mode for the profile. =head1 DESCRIPTION diff --git a/utils/aa-cleanprof.pod b/utils/aa-cleanprof.pod index 95ab12951..acd4c7afd 100644 --- a/utils/aa-cleanprof.pod +++ b/utils/aa-cleanprof.pod @@ -6,7 +6,7 @@ aa-cleanprof - clean an existing AppArmor security profile. =head1 SYNOPSIS -BexecutableE> [IexecutableE> ...] [I<-d /path/to/profiles>] [I<-s>]> +BexecutableE> [IexecutableE> ...] [I<-d /path/to/profiles>] [I<--no-reload]> [I<-s>]> =head1 OPTIONS @@ -15,6 +15,9 @@ B<-d --dir /path/to/profiles> Specifies where to look for the AppArmor security profile set. Defaults to /etc/apparmor.d. +B<--no-reload> + Do not reload the profile after modifying it. + B<-s --silent> Silently overwrites the profile without user prompt. @@ -22,7 +25,7 @@ B<-s --silent> =head1 DESCRIPTION B is used to perform a cleanup on one or more profiles. -The tool removes any existing superfluous rules (rules that are covered +The tool removes any existing superfluous rules (rules that are covered under an include or another rule), reorders the rules to group similar rules together and removes all comments from the file. diff --git a/utils/aa-complain.pod b/utils/aa-complain.pod index 764afa697..5e1058803 100644 --- a/utils/aa-complain.pod +++ b/utils/aa-complain.pod @@ -26,7 +26,7 @@ aa-complain - set an AppArmor security profile to I mode. =head1 SYNOPSIS -B<< aa-complain IexecutableE> [IexecutableE> ...] [I<-d /path/to/profiles>] >> +BexecutableE> [IexecutableE> ...] [I<-d /path/to/profiles>] [I<--no-reload>]> =head1 OPTIONS @@ -35,6 +35,9 @@ B<-d --dir /path/to/profiles> Specifies where to look for the AppArmor security profile set. Defaults to /etc/apparmor.d. +B<--no-reload> + Do not reload the profile after modifying it. + =head1 DESCRIPTION B is used to set the enforcement mode for one or more profiles to I mode. diff --git a/utils/aa-disable.pod b/utils/aa-disable.pod index f36d7ad05..a8f6d744a 100644 --- a/utils/aa-disable.pod +++ b/utils/aa-disable.pod @@ -26,7 +26,7 @@ aa-disable - disable an AppArmor security profile =head1 SYNOPSIS -BexecutableE> [IexecutableE> ...] [I<-d /path/to/profiles>] [I<-r>]> +BexecutableE> [IexecutableE> ...] [I<-d /path/to/profiles>] [I<--no-reload>] [I<-r>]> =head1 OPTIONS @@ -35,11 +35,14 @@ B<-d --dir /path/to/profiles> Specifies where to look for the AppArmor security profile set. Defaults to /etc/apparmor.d. +B<--no-reload> + Do not unreload the profile after modifying it. + =head1 DESCRIPTION -B is used to I one or more profiles. +B is used to I one or more profiles. This command will unload the profile from the kernel and prevent the -profile from being loaded on AppArmor startup. +profile from being loaded on AppArmor startup. The I and I utilities may be used to to change this behavior. diff --git a/utils/aa-enforce.pod b/utils/aa-enforce.pod index 464b8a8b4..236acf22f 100644 --- a/utils/aa-enforce.pod +++ b/utils/aa-enforce.pod @@ -27,7 +27,7 @@ being disabled or I mode. =head1 SYNOPSIS -B<< aa-enforce IexecutableE> [IexecutableE> ...] [I<-d /path/to/profiles>] >> +BexecutableE> [IexecutableE> ...] [I<-d /path/to/profiles>] [I<--no-reload>]> =head1 OPTIONS @@ -36,12 +36,15 @@ B<-d --dir / path/to/profiles> Specifies where to look for the AppArmor security profile set. Defaults to /etc/apparmor.d. +B<--no-reload> + Do not reload the profile after modifying it. + =head1 DESCRIPTION B is used to set one or more profiles to I mode. This command is only relevant in conjunction with the I utility which sets a profile to complain mode and the I utility which -unloads and disables a profile. +unloads and disables a profile. The default mode for a security policy is enforce and the I utility must be run to change this behavior.