Set AppArmor Enforcing Mode¶

About This Task¶

Depending on the circumstances, it may be necessary to disable AppArmor enforcing mode. You can do so on a per-profile or system-wide basis.

Since AppArmor is enabled by default with eLxr 26.04 images, this procedure assumes all AppArmor profiles are enabled.

Before You Begin¶

You must have an eLxr Server 26.04 development host setup with sudo privileges. For details, see Quick Start Overview.

Procedure¶

Disable AppArmor System-wide¶

Run the following commands from a terminal.

    $ sudo systemctl stop apparmor
    $ sudo aa-teardown

Unloading AppArmor profiles

Disable AppArmor Profiles¶

When you disable a profile, you change the status from enforce mode to complain mode. In this case, you do not need to disable AppArmor system-wide, using the example above.

Option 1 Disable a single profile:

$ sudo aa-complain /etc/apparmor.d/<profile_name>

Option 2 Disable all profiles:

$ sudo aa-complain /etc/apparmor.d/*

Enable a Single Profile¶

To enable a profile in complain mode, use the aa-enforce application.

$ sudo aa-enforce /usr/sbin/<app-name>

Setting /usr/sbin/<app-name> to enforce mode

Enable AppArmor System-wide¶

To enable AppArmor, regardless of whether enforcing was disabled for a single profile or system-wide, restart the apparmor service.

$ sudo systemctl start apparmor

Use the aa-status application to verify AppArmor status.

$ sudo aa-status

apparmor module is loaded.
114 profiles are loaded.
74 profiles are in enforce mode.
-- More output --

Results¶

Now that you know how to manage AppArmor enforcing modes, you can learn how to create a profile to enable an application. For details, see Create an AppArmor Application Profile.