Set AppArmor Enforcing Mode¶
About This Task¶
Depending on the circumstances, it may be necessary to disable AppArmor enforcing mode. You can do so on a per-profile or system-wide basis.
Since AppArmor is enabled by default with eLxr 12 images, this procedure assumes all AppArmor profiles are enabled.
Before You Begin¶
You must have an eLxr Server 12 development host setup with sudo privileges. For details, see eLxr QuickStart: Quick Start Overview.
Procedure¶
Disable AppArmor System-wide¶
Run the following commands from a terminal.
# sudo systemctl stop apparmor
# sudo aa-teardown
Disable AppArmor Profiles¶
When you disable a profile, you change the status from enforce mode to complain mode. In this case, you do not need to disable AppArmor system-wide, using the example above.
Option 1 Disable a single profile:
# sudo aa-complain /etc/apparmor.d/<profile_name>
Option 2 Disable all profiles:
# sudo aa-complain /etc/apparmor.d/*
Enable a Single Profile¶
To enable a profile in complain mode, use the aa-enforce application.
# /usr/sbin/aa-enforce /usr/sbin/<app-name>
Setting /usr/sbin/nginx to enforce mode
Enable AppArmor System-wide¶
To enable AppArmor, regardless of whether enforcing was disabled for a single profile or system-wide, restart the apparmor service.
# sudo systemctl start apparmor
Use the aa-status application to verify AppArmor status.
# /usr/sbin/aa-status
apparmor module is loaded.
14 profiles are loaded.
14 profiles are in enforce mode.
/usr/bin/man
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/usr/lib/cups/backend/cups-pdf
/usr/sbin/cups-browsed
/usr/sbin/cupsd
/usr/sbin/cupsd//third_party
/{,usr/}sbin/dhclient
lsb_release
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
2 processes have profiles defined.
2 processes are in enforce mode.
/usr/sbin/cups-browsed (2128)
/usr/sbin/cupsd (805)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.
Results¶
Now that you know how to manage AppArmor enforcing modes, you can learn how to create a profile to enable an application. For details, see Create an AppArmor Application Profile.