Last updated on November 21, 2020 by Dan Nanni
AppArmor, which is considered an alternative to SELinux, is the default application access control system of Ubuntu. Many Ubuntu packages (e.g., libvirt, MySQL) come with their corresponding AppArmor profiles which restrict the capabilities of programs to be installed.
If you are suspecting that AppArmor is interfering with particular software, you can try disabling its AppArmor profile as part of troubleshooting. Here is how to disable a particular AppArmor profile.
To check the current AppArmor status, use
$ sudo aa-status
apparmor module is loaded. 24 profiles are loaded. 24 profiles are in enforce mode. /sbin/dhclient /usr/sbin/tcpdump ..... 0 profiles are in complain mode. 6 processes have profiles defined. 6 processes are in enforce mode. /sbin/dhclient (1599) ..... 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.
To disable a particular AppArmor profile, first identify the name of the AppArmor profile. All existing AppArmor profiles are found at
In this example, we will choose the AppArmor profile for
To disable an AppArmor profile for
tcpdump (whose AppArmor profile name is
usr.sbin.tcpdump) temporarily, run the following command. This change will be lost once you reboot the system.
$ sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.tcpdump
To re-enable the AppArmor profile, run the following command:
$ sudo apparmor_parser /etc/apparmor.d/usr.sbin.tcpdump
If you want to disable an AppArmor profile permanently, use the following commands.
$ sudo ln -s /etc/apparmor.d/usr.sbin.tcpdump /etc/apparmor.d/disable/ $ sudo /etc/init.d/apparmor restart
At this point, AppArmor is disabled for
tcpdump. You can check AppArmor status by re-run:
$ sudo aa-status
You should find that
tcpdump is no longer listed under enforce mode.
To re-enable AppArmor for
tcpdump back to the original enforcing state:
$ sudo rm /etc/apparmor.d/disable/usr.sbin.tcpdump $ sudo /etc/init.d/apparmor restart
Note: It is not a good idea to completely disable AppArmor system-wide, or permanently disable a particular AppArmor profile. Disabling an AppArmor profile should be a temporary measure during troubleshooting. If you find that AppArmor is interfering with particular software, you need to correct the corresponding AppArmor profile, e.g., fixing any incorrect path, etc., instead of turning it off permanently.