Questions tagged [apparmor]
AppArmor is a Linux Security Module
342
questions
107
votes
3
answers
52k
views
What is apparmor?
I hear a lot of talk about apparmor, I want to know the following:
What is apparmor?
How does apparmor work?
- 17.1k
44
votes
5
answers
76k
views
MySQL won't start because of AppArmor?
I'm trying to install mysql-server-5.7 on Kubuntu 16.04, but I'm having trouble.
sudo apt install mysql-server gives the following output.
Setting up mysql-server-5.7 (5.7.18-0ubuntu0.16.04.1) ...
...
- 857
33
votes
18
answers
82k
views
Can't start mysql - mysql respawning too fast, stopped
Today I did a fresh install of ubuntu 12.04 and went about setting up my local development environment. I installed mysql and edited /etc/mysql/my.cnf to optimise InnoDB but when I try to restart ...
- 5,057
28
votes
3
answers
11k
views
Is it a bad idea to run SELinux and AppArmor at the same time?
My corporate policy says that Linux boxes must be secured with SELinux (so that a security auditor can check the 'yes, we're extremely secure!' checkbox for each server). I had hoped to take ...
- 23.1k
26
votes
7
answers
48k
views
How to secure ubuntu server from bruteforce ssh attacks?
I have my passwords secure, but I heard people complaining about perfomance of a server going down drastically when a bruteforce attack is taking place. How can I secure my ubuntu 10.10 server from ...
- 501
26
votes
3
answers
26k
views
How can I tell that apparmor is working?
Some questions I want answered in the answer:
How do I know if apparmor is running?
How can I tell if it's working well?
- 17.1k
19
votes
1
answer
14k
views
the aa-enforce command for apparmor results in a "command not found" error
I am trying to enable the apparmor profile for firefox, but when i enter
sudo aa-enforce /etc/apparmor.d/usr.bin.firefox
i get a aa-enforce command not found message.
apparmor_status indicates ...
- 193
18
votes
2
answers
45k
views
How to allow bind in app armor?
Question:
I did setup bind9 as described here:
http://ubuntuforums.org/showthread.php?p=12149576#post12149576
Now I have a little problem with apparmor: If I switch it off, it works.
If apparmor ...
- 1,874
15
votes
1
answer
23k
views
AppArmor with cupsd denied in logs
I was updating the OS today (security patches), when I found something strange in the syslog:
apparmor="DENIED" operation="signal" profile="/usr/sbin/cupsd" pid=2483 comm="cupsd" requested_mask="send"...
- 845
13
votes
2
answers
31k
views
How to disable AppArmor for MySQL
I have followed the instructions here to set up a Galera cluster. The instruction says I need to disable appArmor:
Disabling AppArmor
By default, some servers—for instance,
Ubuntu—include AppArmor, ...
- 518
13
votes
4
answers
24k
views
Apparmor Init Failed, Exit Code 123
Apparmor fails boot and command line start with same result as below
x@x-NICEPUTER:~$ systemctl --failed
UNIT LOAD ACTIVE SUB DESCRIPTION
● apparmor.service loaded failed failed ...
- 1,046
13
votes
2
answers
2k
views
Evince can not open links in snap Firefox
When I click on a link in a PDF document in Evince, it does not work. Instead, I only see cursor turning into a spinner and a message appearing in the terminal:
env: ‘/snap/bin/firefox’: Permission ...
- 241
12
votes
1
answer
3k
views
How do you permanently activate all AppArmor profiles?
I want all the AppArmor profiles activated wherever applicable permanently, how can I do that?
- 18k
11
votes
1
answer
6k
views
How can I safely remove snap without breaking apparmor
I'd like to remove Snap from my system entirely, but have a smallish problem:
1st, I removed all snap packages:
sudo snap remove $(snap list | tail -n +2 | cut -d" " -f1 | grep -v core | tr "/n" " ")...
- 21.5k
10
votes
3
answers
2k
views
Brave browser not starting due to snap mount namespace error
Brave installed from snap was running perfectly fine for months.
Since two days it is not starting when clicking Brave icon from launcher.
When attempting to run Brave from command line just calling ...
- 194
10
votes
1
answer
918
views
Apparmor has hats like null-12b08
I am running a Ubuntu 12.04.2 server with Apache using mod_apparmor. When I run aa-status, I see thousands and thousands (seriously, over 100,000) of profiles with names like
/usr/lib/apache2/mpm-...
- 233
9
votes
3
answers
5k
views
Why is firefox trying to access fstab and how can I stop it?
Today I ran journalctl -k and found hundreds of entries like this one:
Mar 27 22:15:11 charm kernel: audit: type=1400 audit(1679915711.422:1671372): apparmor="DENIED" operation="open&...
- 101
9
votes
1
answer
4k
views
How to display AppArmor denied messages as desktop notifications
How can I get live notifications on my desktop whenever an AppArmor denied message is triggered?
- 398
9
votes
4
answers
31k
views
Unable to start mysql server after update
Today I updated the system, and I cant start the mysql server:
I'm getting the following error:
Aug 14 14:32:09 VULTURUS kernel: [ 1996.413190] init: mysql main process (14122) terminated with ...
- 4,512
9
votes
3
answers
3k
views
Can apparmor restrict interpreted languages?
For interpreted/vm languages(e.g. python, java, shell scripts) can apparmor be set to only confine a particular script or program? If so, how?
- 345
9
votes
1
answer
5k
views
AppArmor denying a mount operation
How do I convince apparmor to allow this operation?
[28763.284171] type=1400 audit(1344273461.387:192): apparmor="DENIED"
operation="mount" info="failed type match" error=-13 parent=7101
profile="lxc-...
- 219
9
votes
1
answer
863
views
Execute an executable under a dynamically-created AppArmor profile?
I've been looking into the possibility of running commands under dynamically created AppArmor profiles on my Ubuntu Server 16.04.1 LTS. I'm looking for something similar to the macOS sandbox-exec, ...
- 171
8
votes
4
answers
8k
views
after Ubuntu 21.10 upgrade: "cannot attach cgroup program" operation not permitted
Right after upgrading a Ubuntu 21.04 to 21.10, I got this issue:
Chromium/Firefox won't start.
The error(seen in terminal) is:
$ firefox
cannot attach cgroup program: Operation not permitted
- 1,719
8
votes
2
answers
28k
views
AppArmor audit logs ... what does this mean?
1 Time(s): audit: type=1400 audit(1473854574.089:113): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/cups/backend/cups-pdf" pid=31430 comm="apparmor_parser"
1 ...
- 103
8
votes
1
answer
752
views
How do I create a default fallback profile for any process that doesn't have one in AppArmor?
Is there a way to specify a default profile on any executable that doesn't have a profile already defined?
The idea is to avoid any unconstrained processes.
- 83
8
votes
3
answers
3k
views
How does AppArmor deal with non-profiled Programs?
I setup and configured AppArmor in Ubuntu and I would like to know how AppArmor deals with Packages and Applications which have no AppArmor Profile?
After installing the package with sudo apt-get ...
- 1,589
8
votes
1
answer
3k
views
Is troubleshooting AppArmor with 'teardown' unsafe?
I understand there is a safer, more targeted way to troubleshoot AppArmor's possible contribution to an issue than completely stopping the service and tearing down AppArmor profiles. Can someone give ...
- 23.1k
8
votes
3
answers
2k
views
Libreoffice 5.4.5.1 gets access denied on NFS mounted filesystem
Using Ubuntu 17.10 and Libreoffice I've updated everything today.
Trying to open .od_ documents from my /Documents folder now yields "Access denied"
(see also question [Access to *.doc was denied | ...
- 101
8
votes
1
answer
1k
views
Excessive Firefox related AppArmor log entries
I recently installed and fully updated Ubuntu 22.04.1 LTS (jammy), 64-bit (amd64, x86_64). I removed 'snapd' and its default set of installed applications, which includes Firefox browser (which in 22....
- 89
7
votes
1
answer
5k
views
apt-get hang at Rsyslog
When I try to install something, there is a hang, I don't know if it's a bug or something else...
root@computer:~# apt-get install
Reading package list... Done
Building dependancy tree
Reading state ...
- 73
7
votes
2
answers
2k
views
What does Firefox AppArmor restrict/allow?
I know the AppArmor profiles resides in /etc/apparmor.d/, but I do not know how to interpret it. Any translation would be enlightening.
- 18k
7
votes
1
answer
3k
views
Add custom AppArmor rules to snap?
I'm trying to get an application working with snapd and have run into some issues regarding AppArmor permisions. It seems that in order to have my app be fully functional, it needs some custom ...
- 172
7
votes
1
answer
5k
views
How to configure AppArmor for Snaps?
I've been using Snaps such as telegram-desktop and caprine for some time. caprine worked for a few days, but then AppArmor started to show denials in dmesg. caprine didn't even start, just crashed ...
- 1,112
7
votes
1
answer
5k
views
LibreOffice can't access /tmp files in 18.04
Just installed LibreOffice 6.0.4.2 in Ubuntu 18.04.
LibreOffice can't open (nor list) files from /tmp directory.
I've read about AppArmor profiles, devs talking about the "expected" /home use case, ...
- 241
6
votes
1
answer
13k
views
Can't install snapd on Ubuntu 18.04.2 LTS
snapd on my machine is not working and I tried reinstalling using sudo apt install --reinstall snapd
I got the below error.
Unpacking snapd (2.38+18.04) over (2.38+18.04) ...
Processing triggers for ...
- 163
6
votes
1
answer
13k
views
How to fix apparmor="DENIED" for telepathy-mission-control-5 under Ubuntu 14.04?
Just installed Ubuntu 14.04 LTS a week ago and a few programs for my work & fun:
nginx server, rabbitmq server, mysql server
php-fpm, hhvm
sublime-text, mysql workbench
hplib (for printer/scanner)...
- 113
6
votes
1
answer
8k
views
Where do I get the AppArmor 2.4 compatibility patch?
I just compiled the 2.6.39-rc1 kernel and AppArmor complains about a missing /sys interface (plus, it slows down the boot). Where do I get the AppArmor 2.4 compatibility patch AppArmor asks for?
- 65.1k
6
votes
1
answer
8k
views
Unable to disable apparmor in Ubuntu 20.04 LTS
I tried to open a pdf in my external HD with Evince (pdf reader), but apparmor denied. Then I tried to find Evince's profile to add a link to it in /etc/apparmor.d/disable in order to disable the ...
- 61
6
votes
2
answers
4k
views
Moving a single MySql database to a separate physical disk
I am trying to move a single MySql database to another physical disk in my Ubuntu machine. I am using Ubuntu 17.04.
the external drive is mounted in /etc/fstab as follows (last line):
#zoneminder ...
- 129
6
votes
2
answers
7k
views
Contain Docker Engine with AppArmor
In face of the reminders that the Docker Engine should be run contained with AppArmor or SELinux, how to run Docker under AppArmor on Ubuntu 14.04?
The Docker Security documentation and the LXC ...
- 309
6
votes
1
answer
873
views
File access: open fails for one program but not another
This is the most unusual thing. I'm trying to start up mysqld with a different my.cnf (so I can have two MySQL daemons running without conflict). The file is /etc/mysql/my2.cnf but mysql won't open it....
- 1,676
6
votes
1
answer
8k
views
telegram-desktop does not start
Suddenly, telegram-desktop has stopped working on my laptop. I am running the snap version 3.2.0 on ubuntu 20.04. From the command line, or using the GUI, it stops immediately. I have found 2 errors: ...
- 63
6
votes
2
answers
2k
views
Discord, how can I make it stop flooding my logs?
I am on ubuntu 20.04 focal, and I have discord installed. While discord is active, I get loads of messages in dmesg from it.
[ 1242.218055] audit: type=1400 audit(1626585289.753:15781): apparmor="...
- 14.9k
6
votes
2
answers
18k
views
Can not boot! Failed to start AppArmor initialization... Computer hanging in booting.. can not start
My HP Elitebook 2570p cannot boot! Failed to start AppArmor initialization... Computer hanging in booting process starting gnome display manager, dispatcher service....system changes .. p link was ...
- 61
6
votes
1
answer
527
views
Cannot access GIMP help because AppArmor stops it
I just installed GIMP through Ubuntu Software, which I understand uses snap. I tried to access GIMP help but it was blocked. I got this error:
Could not open 'https://docs.gimp.org/2.10/en/gimp-help....
- 61
6
votes
1
answer
2k
views
How can I configure apparmor to allow mariadb load a shared library?
After a routine update yesterday, MariaDB would not start because a shared library file is not loading because it is being blocked by apparmor.
Here's the output from the journalctl -xe
Apr 17 11:44:...
- 61
6
votes
0
answers
3k
views
apparmor="DENIED" operation="dbus_method_call"
My syslog is getting many messages like this:
dbus-daemon[1311]: message repeated 12 times: [ apparmor="DENIED" operation="dbus_method_call" bus="session" path="/...
6
votes
0
answers
4k
views
How to disable apparmor for Chromium snap? (Ubuntu 20.04)
When I type:
sudo apparmor_status
these 2 profiles are shown as enforce:
snap.chromium.chromedriver
snap.chromium.chromium
When I type:
sudo aa-complain /var/lib/snapd/apparmor/profiles/snap.chromium....
5
votes
4
answers
27k
views
Disabling AppArmor for KVM
I'm trying to take an external snapshot of my KVM guest using the following script:
DOMAIN=test-snapshots.programster.org
SNAPSHOT_NAME=snap3
STATE_FILE="/media/kvm/test-snapshots/mem-snap.qcow2"
...
- 5,919
5
votes
2
answers
3k
views
Why does apparmor kill dhclient?
I successfully upgraded my KVM server to 20.04.1 LTS but when later trying to access it by ssh, there were no network route to the server, while the VMs still were happily running just great. Logging ...
- 151