How to disable a particular AppArmor profile on Ubuntu

Question: Is it possible to disable AppArmor for a specific service or software only, instead of completely turning off AppArmor system-wide?

AppArmor, which is considered an alternative to SELinux, is the default application access control system of Ubuntu. Many Ubuntu packages (e.g., libvirt, MySQL) come with their corresponding AppArmor profiles which restrict the capabilities of programs to be installed.

If you are suspecting that AppArmor is interfering with particular software, you can try disabling its AppArmor profile as part of troubleshooting. Here is how to disable a particular AppArmor profile.

Check Current AppArmor Status

To check the current AppArmor status, use aa-status command.

$ sudo aa-status
apparmor module is loaded.
24 profiles are loaded.
24 profiles are in enforce mode.
   /sbin/dhclient
   /usr/sbin/tcpdump
   .....
0 profiles are in complain mode.
6 processes have profiles defined.
6 processes are in enforce mode.
   /sbin/dhclient (1599) 
   .....
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

Disable a Specific AppArmor Profile Temporarily

To disable a particular AppArmor profile, first identify the name of the AppArmor profile. All existing AppArmor profiles are found at /etc/apparmor.d/.

In this example, we will choose the AppArmor profile for tcpdump.

To disable an AppArmor profile for tcpdump (whose AppArmor profile name is usr.sbin.tcpdump) temporarily, run the following command. This change will be lost once you reboot the system.

$ sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.tcpdump

To re-enable the AppArmor profile, run the following command:

$ sudo apparmor_parser /etc/apparmor.d/usr.sbin.tcpdump

Disable a Specific AppArmor Profile Permanently

If you want to disable an AppArmor profile permanently, use the following commands.

$ sudo ln -s /etc/apparmor.d/usr.sbin.tcpdump /etc/apparmor.d/disable/
$ sudo /etc/init.d/apparmor restart

At this point, AppArmor is disabled for tcpdump. You can check AppArmor status by re-run:

$ sudo aa-status

You should find that tcpdump is no longer listed under enforce mode.

To re-enable AppArmor for tcpdump back to the original enforcing state:

$ sudo rm /etc/apparmor.d/disable/usr.sbin.tcpdump
$ sudo /etc/init.d/apparmor restart

Note: It is NOT a good idea to completely disable AppArmor system-wide, or permanently disable a particular AppArmor profile. Disabling an AppArmor profile should be a temporary measure during troubleshooting. If you find that AppArmor is interfering with particular software, you need to correct the corresponding AppArmor profile, e.g., fixing any incorrect path, etc., instead of turning it off permanently.

Download this article as ad-free PDF (made possible by your kind donation): 
Download PDF

Subscribe to Ask Xmodulo

Do you want to receive Linux related questions & answers published at Ask Xmodulo? Enter your email address below, and we will deliver our Linux Q&A straight to your email box, for free. Delivery powered by Google Feedburner.


Support Xmodulo

Did you find this tutorial helpful? Then please be generous and support Xmodulo!

Leave a comment

Your email address will not be published. Required fields are marked *