An AppArmor profile applies to an executable program; if a portion of the program needs different access permissions than other portions need, the program can change hats via change_hat to a different role, also known as a subprofile. The pam_apparmor PAM module allows applications to confine authenticated users into subprofiles based on group names, user names, or a default profile. To accomplish this, pam_apparmor needs to be registered as a PAM session module.

The package pam_apparmor may not installed by default, you may need to install it using YaST or zypper. Details about how to set up and configure pam_apparmor can be found in /usr/share/doc/packages/pam_apparmor/README after the package has been installed. For details on PAM, refer to Глава 2, Авторизация с помощью PAM.

pam_apparmor allows you to set up role-based access control (RBAC). A detailed HOWTO on setting up RBAC with AppArmor is available at http://wiki.apparmor.net/index.php/AppArmorRBAC.