Fixing Apparmor

From bibbleWiki
Jump to navigation Jump to search

Approach

Switching an AppArmor Profile to Complain Mode

Step 1: Enable Complain Mode

Use aa-complain to switch the target profile: 

sudo aa-complain /etc/apparmor.d/unix-chkpwd

This allows the profile to log denials without enforcing them—useful for debugging without service disruption.

Step 2: Reproduce the Issue

Trigger the behavior that was causing denials, such as authentication or service startup, to generate relevant audit entries.

Step 3: Review Logs

Filter relevant AppArmor events: 

sudo journalctl | grep apparmor

Or use ausearch to dig into audit events: 

sudo ausearch -m avc -ts recent

Step 4: Apply Fixes with aa-logprof (Optional)

Run the guided profile editor: 

sudo aa-logprof

It will prompt you to review recent denials and suggest appropriate rules.

Step 5: Revert to Enforce Mode (Cleanup)

Once debugging is complete, restore enforcement: 

sudo aa-enforce /etc/apparmor.d/unix-chkpwd

Notes

  • Prefer canonical paths like /run over symlinks such as /var/run.
  • For disconnected path denials, consider adding flags=(attach_disconnected) to the profile.
Retrieved from "https://wiki.bibble.co.nz/mediawiki/index.php?title=Fixing_Apparmor&oldid=10248"