How to disable a particular AppArmor profile on Ubuntu

Last updated on November 21, 2020 by Dan Nanni

Question: Is it possible to disable AppArmor for a specific service or software only, instead of completely turning off AppArmor system-wide?

AppArmor, which is considered an alternative to SELinux, is the default application access control system of Ubuntu. Many Ubuntu packages (e.g., libvirt, MySQL) come with their corresponding AppArmor profiles which restrict the capabilities of programs to be installed.

If you are suspecting that AppArmor is interfering with particular software, you can try disabling its AppArmor profile as part of troubleshooting. Here is how to disable a particular AppArmor profile.

Check Current AppArmor Status

To check the current AppArmor status, use aa-status command.

$ sudo aa-status 
apparmor module is loaded.
24 profiles are loaded.
24 profiles are in enforce mode.
0 profiles are in complain mode.
6 processes have profiles defined.
6 processes are in enforce mode.
   /sbin/dhclient (1599) 
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

Disable a Specific AppArmor Profile Temporarily

To disable a particular AppArmor profile, first identify the name of the AppArmor profile. All existing AppArmor profiles are found at /etc/apparmor.d/.

In this example, we will choose the AppArmor profile for tcpdump.

To disable an AppArmor profile for tcpdump (whose AppArmor profile name is usr.sbin.tcpdump) temporarily, run the following command. This change will be lost once you reboot the system.

$ sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.tcpdump

To re-enable the AppArmor profile, run the following command:

$ sudo apparmor_parser /etc/apparmor.d/usr.sbin.tcpdump

Disable a Specific AppArmor Profile Permanently

If you want to disable an AppArmor profile permanently, use the following commands.

$ sudo ln -s /etc/apparmor.d/usr.sbin.tcpdump /etc/apparmor.d/disable/
$ sudo /etc/init.d/apparmor restart

At this point, AppArmor is disabled for tcpdump. You can check AppArmor status by re-run:

$ sudo aa-status 

You should find that tcpdump is no longer listed under enforce mode.

To re-enable AppArmor for tcpdump back to the original enforcing state:

$ sudo rm /etc/apparmor.d/disable/usr.sbin.tcpdump
$ sudo /etc/init.d/apparmor restart

Note: It is not a good idea to completely disable AppArmor system-wide, or permanently disable a particular AppArmor profile. Disabling an AppArmor profile should be a temporary measure during troubleshooting. If you find that AppArmor is interfering with particular software, you need to correct the corresponding AppArmor profile, e.g., fixing any incorrect path, etc., instead of turning it off permanently.

Support Xmodulo

This website is made possible by minimal ads and your gracious donation via PayPal or credit card

Please note that this article is published by under a Creative Commons Attribution-ShareAlike 3.0 Unported License. If you would like to use the whole or any part of this article, you need to cite this web page at as the original source.

Xmodulo © 2021 ‒ AboutWrite for UsFeed ‒ Powered by DigitalOcean