RBAC pam apparmor

[gertrud.af.svaneholm]

Hello!, I'm trying to implement some basic role based access control on my system as described here; https://gitlab.com/apparmor/apparmor...s/pam_apparmor, and here; https://gitlab.com/apparmor/apparmor...parmor_example. I've added the files as described and added a little test line for the confined_user profile in pam_roles, as such:

profile confined_user {
...
deny /home/USERNAME/testfile rwk,
}

I can see that the correct profile is in enforce mode (/bin/su//USERNAME), I have libpam-apparmor installed, I've added the necessary lines in the su pam configuration file. Yet if I su to USERNAME I can still edit and read the testfile logged in as USERNAME. If I change the apparmor line in /etc/pam.d I cannot use su anymore (su: cannot open session: System error) which means that the transition isn't hapenning .

How do I get this to work?
Also, where may I find better (more recent?) and more complete documentation of pam apparmor and apparmor RBAC?




---------------------------
Here are the files I've used (more or less the same ass the pam apparmor example linked above above)
/etc/pam-d/su https://pastebin.com/X1a5UAbZ
/etc/apparmor.d/pam_roles https://pastebin.com/rU0vnTtU (replaced my actual username with USERNAME)
/etc/apparmor.d/pam_binaries https://pastebin.com/MyaRj18Z
/etc/apparmor.d/pa/mappings https://pastebin.com/maFMFpxP

[gertrud.af.svaneholm]

Minor errors in the text: The error "su: cannot open session: System error" happens when I change the pam apparmor line from optional to required.
There are also some irrelevant grammatical errors in the file paths before the pastebin links.

[gertrud.af.svaneholm]

Also, here are the error messages when I try to su from user olof to admin
https://pastebin.com/AVw5PEVK

[arvidjaar]

Minor errors in the text: The error "su: cannot open session: System error" happens when I change the pam apparmor line from optional to required.

Is pam_apparmor installed?

P.S. please always put computer text inside [code]...[/code] tags.
P.P.S. please upload information to https://susepaste.org, not to commercial sites. Not everyone can or want access them.

[gertrud.af.svaneholm]

Is pam_apparmor installed?

P.S. please always put computer text inside [code]...[/code] tags.
P.P.S. please upload information to https://susepaste.org, not to commercial sites. Not everyone can or want access them.

Sorry about that, first time posting here.
Yes libpam-apparmor is installed.

[arvidjaar]

Yes libpam-apparmor is installed.

Such package does not exist in openSUSE. I asked about pam_apparmor.