How to disable a particular AppArmor profile on Ubuntu
Last updated on November 21, 2020 by Dan Nanni
AppArmor, which is considered an alternative to SELinux, is the default application access control system of Ubuntu. Many Ubuntu packages (e.g., libvirt, MySQL) come with their corresponding AppArmor profiles which restrict the capabilities of programs to be installed.
If you are suspecting that AppArmor is interfering with particular software, you can try disabling its AppArmor profile as part of troubleshooting. Here is how to disable a particular AppArmor profile.
Check Current AppArmor Status
To check the current AppArmor status, use aa-status command.
$ sudo aa-status
apparmor module is loaded. 24 profiles are loaded. 24 profiles are in enforce mode. /sbin/dhclient /usr/sbin/tcpdump ..... 0 profiles are in complain mode. 6 processes have profiles defined. 6 processes are in enforce mode. /sbin/dhclient (1599) ..... 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.
Disable a Specific AppArmor Profile Temporarily
To disable a particular AppArmor profile, first identify the name of the AppArmor profile. All existing AppArmor profiles are found at /etc/apparmor.d/.
In this example, we will choose the AppArmor profile for tcpdump.
To disable an AppArmor profile for tcpdump (whose AppArmor profile name is usr.sbin.tcpdump) temporarily, run the following command. This change will be lost once you reboot the system.
$ sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.tcpdump
To re-enable the AppArmor profile, run the following command:
$ sudo apparmor_parser /etc/apparmor.d/usr.sbin.tcpdump
Disable a Specific AppArmor Profile Permanently
If you want to disable an AppArmor profile permanently, use the following commands.
$ sudo ln -s /etc/apparmor.d/usr.sbin.tcpdump /etc/apparmor.d/disable/ $ sudo /etc/init.d/apparmor restart
At this point, AppArmor is disabled for tcpdump. You can check AppArmor status by re-run:
$ sudo aa-status
You should find that tcpdump is no longer listed under enforce mode.
To re-enable AppArmor for tcpdump back to the original enforcing state:
$ sudo rm /etc/apparmor.d/disable/usr.sbin.tcpdump $ sudo /etc/init.d/apparmor restart
Note: It is not a good idea to completely disable AppArmor system-wide, or permanently disable a particular AppArmor profile. Disabling an AppArmor profile should be a temporary measure during troubleshooting. If you find that AppArmor is interfering with particular software, you need to correct the corresponding AppArmor profile, e.g., fixing any incorrect path, etc., instead of turning it off permanently.
Support Xmodulo
This website is made possible by minimal ads and your gracious donation via PayPal or credit card
Please note that this article is published by Xmodulo.com under a Creative Commons Attribution-ShareAlike 3.0 Unported License. If you would like to use the whole or any part of this article, you need to cite this web page at Xmodulo.com as the original source.
Xmodulo © 2021 ‒ About ‒ Write for Us ‒ Feed ‒ Powered by DigitalOcean